Sourcecodester Markdown to HTML Converter Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Sourcecodester Markdown to HTML Converter version 1.0. The issue resides in the 'Markdown Input' field, where a remote attacker can inject arbitrary HTML or JavaScript. This injected code executes in the victim's browser when the 'Convert to HTML' button is clicked.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to theft of cookies or session tokens, enabling attackers to impersonate users and escalate privileges. Additionally, it could facilitate in-page phishing, credential harvesting, or malware distribution through the executed scripts.

Reproduction

To reproduce this vulnerability, insert a malicious HTML or JavaScript payload into the 'Markdown Input' field. After injecting the payload, click the 'Convert to HTML' button. The injected script will be executed when the 'HTML Output' is displayed, especially if the output includes a button or link that triggers the script, such as one labeled 'Click Me'.

Remediation

To mitigate this vulnerability, implement input validation and sanitization to rigorously check and encode user-supplied data before rendering it. Consider applying a Content Security Policy (CSP) to restrict script sources and prevent the execution of inline scripts. Properly encode data based on the context before outputting it, and use secure frameworks or libraries that automatically handle escaping to prevent XSS. Additionally, mark session cookies as HttpOnly to prevent access via client-side scripts.