NiceGUI Markdown Component Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in the NiceGUI framework's markdown component, specifically in versions through 3.6.1. The issue arises because the ui.markdown() function uses the markdown2 library to convert markdown into HTML, which is then rendered without proper sanitization. By default, markdown2 allows raw HTML to be passed through unchanged, enabling attackers to inject malicious HTML with JavaScript event handlers. This vulnerability is particularly concerning in applications that display user-generated content, such as chat messages or content management systems.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can execute arbitrary JavaScript in the context of the user's browser. This could lead to stealing cookies or authentication tokens, performing actions on behalf of the user, redirecting users to malicious sites, or modifying page content.

Reproduction

To reproduce this vulnerability, create a NiceGUI application that uses the ui.markdown() component to render user-controlled input containing malicious HTML, such as an image tag with an onerror event handler. When the page loads, the injected JavaScript will execute, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to NiceGUI version 3.7.0 or later, where this vulnerability is fixed. For those unable to upgrade, it's recommended to manually sanitize content before using ui.markdown(), or to escape HTML entities to prevent interpretation of HTML.