Stored XSS via KaTeX
HackerOne report #448970 by jouko on 2018-11-23:
User-editable Markdown is used a lot on GitLab. Normally hyperlinks are checked for safety.
Description: The link syntax can be found in the reference at https://katex.org/docs/supported.html#html
Steps To Reproduce:
- Go to the Markdown editor, e.g. view a Snippet and enter a comment such as:
- Click Preview to see the Markdown rendered
The normal stored XSS impact. The victim is required to click on the link.
Warning: Attachments received through HackerOne, please exercise caution!