League CommonMark Disallowed Raw HTML Extension Bypass Vulnerability Allowing Cross-Site Scripting

A cross-site scripting (XSS) vulnerability has been identified in the League CommonMark Markdown parser, specifically in versions prior to 2.8.1. The issue arises in the DisallowedRawHtml extension, which can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing angle bracket. This allows the tag to pass through unfiltered and be rendered as valid HTML by browsers. Applications relying on this extension to sanitize untrusted user input are affected, unless they use a dedicated HTML sanitizer, such as HTML Purifier, on the rendered output.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to League CommonMark version 2.8.1 or later, where this vulnerability has been patched. Alternatively, the 'html_input' configuration option can be set to 'escape' or 'strip' to disable all raw HTML, though this is a broader restriction than the DisallowedRawHtml extension provides. It is also recommended to pass the rendered HTML through a dedicated HTML sanitizer before serving it to users.