league/commonmark Attributes Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Attributes extension of the league/commonmark library, affecting versions 1.5.0 prior to 2.7.0. This vulnerability allows remote attackers to inject malicious JavaScript into HTML. The issue arises because the Attributes extension enables users to add arbitrary HTML attributes to elements using Markdown syntax, which can be exploited to execute JavaScript. Although the league/commonmark library offers some configuration options to mitigate XSS attacks, these protections can be bypassed when the Attributes extension is active.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject and execute malicious JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use league/commonmark version 1.5.0 through 2.6.x with the Attributes extension enabled. Inject a Markdown payload that includes JavaScript event attributes, such as 'onerror', into an image tag. When the Markdown is processed, the JavaScript will execute immediately on page load.

Remediation

Upgrade to league/commonmark version 2.7.0 or later, where this vulnerability is fixed. If upgrading is not possible, consider disabling the Attributes extension for untrusted users or filtering the rendered HTML with a library like HTMLPurifier.