DOM clobbering in sanitized MD causes errors
From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:
- Effort: Low
- Impact: Info
- Location: Markdown
It was found that the Markdown sanitizer allows to create HTML
<img> elements that are applied with a
name attribute. The
name attribute can be used to "clobber" existing native properties and methods on the document DOM object. As a result, an image can for example overwrite the method
document.getElementById() with the image itself and cause the website to fail as this method is needed by various libraries and JS features.
The following HTML will "clobber" the methods
<img name="getElementById" src=""> <img name="getElementsByTagName" src="">
16:12:26.888 TypeError: t.getElementsByTagName is not a function[Learn More] common.a208e8b828f4e7f4759b.bundle.js:24:427 16:12:34.298 TypeError: document.getElementById is not a function[Learn More] common.a208e8b828f4e7f4759b.bundle.js:1:22116
While no exploitable issue has yet been found, it is recommended to mitigate the issue nevertheless.
- Create an MD file in any repository
- Add the HTML above and open the file
Please note that, if e.g. the KaTeX rendering plugin is used, it will not work anymore.
name attribute should not be allowed for any HTML element.