Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4952

Markdown interpreter can be used to store XSS in notebooks.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 0.10.0
    • None
    • None

    Description

      The %md interpreter can be used to store XSS in notebooks. These cells are automatically loaded by the user when opening the notebook, so, no manual user interaction is needed.
       
      Also, it doesn't matter if the cell has already a result or not.
       
       
      %md

      1. foo <script>alert(String.fromCharCode(88,83,83))</script>  

      Attachments

        Activity

          People

            prabhjyotsingh Prabhjyot Singh
            fooinha Paulo Pacheco
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 20m
                1h 20m