While adding Markdown support for Quixey, we realized that Markdown’s support for raw HTML created an enormous cross-site scripting vulnerability.

We consulted the XSS Cheat Sheet and learned that there are hundreds of sinister tricks for hackers to inject malicious JS into any input field that offers a bare minimum of HTML support.

We decided to parse Markdown by disabling raw HTML input before invoking the Showdown converter, like this:

function markdownToSafeHtml(s) {

}

Afterwards, we kept reading the XSS Cheat Sheet page just to make sure that Quixey wouldn’t be vulnerable to another hacker trick. Then we saw this XSS trick:

<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

Here’s how the attack works:

1. Hacker uses Markdown to make an image whose source is an admin URL on your domain.
2. One of your administors logs in and views the HTML-rendered version of the hacker-submitted markdown.
3. Your administrator’s browser makes an HTTP GET request to some admin URL that is used to, say, reset someone’s password.
4. The password reset operation is successful, because the administrator’s browser sent a cookie verifying that the administrator is logged in.

The root of the problem is that it’s extremely easy to use XSS to get authorized users to make HTTP GET requests — whereas POST requests are somewhat harder to XSS-hack.

The solution is to follow the HTTP protocol guidelines and require the user agent to make a POST for any operation that modifies server-side data.

So don’t think your data is safe just because you’re checking if your user is authenticated as an administrator. Make sure a hacker can’t use cross-site scripting to HTTP GET you.