Advice about sanitizing markdown

[sonnatager]

I have following situation. I have developed a application with the possibility to add and save a markdown text.
To prevent XSS, the following process happens:

1. Before saving the markdown, the user needs to validate it and presses a validate button
2. Markdown text is send to the backend
3. Markdown text is converted to HTML using the markdig library
4. The outcome is then sanitized by the HtmlSanitizer (see code below)
5. If there is anything removed, the user gets a validation error and cannot save the markdown text
6. User needs to adapt the markdown text and process starts againg with 1.)

As a hint: The markdown text is saved if it is valid, NOT the html. It is then loaded from the backend by potentially other users and then converted in the frontend to html. <-- potentially risk of XSS

Now let's assume we have following markdown text:

[XSS](javascript:alert('XSS'))

I have manually encoded the href part as Unicode Hex Character Code to simulate a XSS attack:

[XSS](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)

which is converted in the backend to this by the markdig library and this is then used to sanitized by the HtmlSanitizer:

<p><a href="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29">XSS</a></p>

The problem is, that now the HtmlSanitizer does not sanitize the html.

My code is as follow:

using Markdig;
using Ganss.Xss;
using Markdig.Extensions.EmphasisExtras;

.
.
.

public bool Validate(string markdownText)
{    
    var rendered = Markdown.ToHtml(markdownText);
    
    var isValid = true;
    
    var sanitizer = new HtmlSanitizer();
    sanitizer.AllowedSchemes.Add("mailto");
    sanitizer.RemovingTag += (_, _) => isValid = false;
    sanitizer.RemovingAttribute += (_, _) => isValid = false;
    sanitizer.RemovingComment += (_, _) => isValid = false;
    sanitizer.RemovingStyle += (_, _) => isValid = false;
    sanitizer.RemovingAtRule += (_, _) => isValid = false;
    sanitizer.RemovingCssClass += (_, _) => isValid = false;
    sanitizer.Sanitize(rendered);
    
    return isValid;
}

Maybe I am missing something. Can anyone give me a hint about this kind of problem?

[mganss]

The resulting HTML doesn't carry XSS potential does it?

[sonnatager]

I checked it and it is now treated as a relative link. So no more XSS in the resulting HTML.
But I'm not using the resulting HTML, I'm just using these events to detect all the removed things in the HTML. Maybe this is the wrong approach.
Is there a way to detect if there is an XSS in an HTML or not?

[mganss]

HtmlSanitizer doesn't check for XSS per se, so there is no way of detecting if the input contains XSS.

I think your approach seems legitimate for the use case you have described. As far I have understood your use case, it's not only about XSS but also about letting the user know that some of the markup they have used would be removed, letting them revise their input.

[sonnatager]

Yes, that is exactly my usecase. I want to inform the user, if the markdown text they provided, contains any potential malicious stuff, so they cannot save this markdown.

But i did a small analysis how e.g. Github is doing that like in this comment functioniality. They are sending the markdown to the backend and are rendering and sanitizing it in the backend too. So i will do the same and do that in the backend.

[sonnatager]

I have implemented the rendering of markdown now in the backend. I use markdig and now i just send the rendered html back to the frontend. So this is working fine now, and the above vulnerability is solved 😄