XSS in Gitlab Flavored Markdown due to mermaid
HackerOne report #446236 by manfp on 2018-11-17:
Inserting the following (in the final line, remove the space in "` ``" on the last line, a plain text copy is attached):
```mermaid
graph TD
A["<img src=invalid onerror=alert('XSS')></img>"]
` ``
into any markdown document in GitLab (such as a README.md or snippet comments) triggers a cross-site scripting vulnerability. As the bug seems to be in the mermaid, I simultaneously contacted the npm package maintainers about this.
Impact
Stored XSS that is executed upon opening a project or snippet owned by the attacker
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Dennis Appelt