Mistune Markdown Parser ID Attribute Injection Vulnerability in HTMLRenderer

A cross-site scripting vulnerability has been identified in the Mistune Markdown parser, prior to version 3.2.1. The issue arises in the HTMLRenderer.heading() method, which constructs heading tags by directly concatenating the id attribute value into the HTML without proper sanitization. This flaw allows an attacker to inject arbitrary attributes, such as event handlers or links, into the heading element. The vulnerability is exploitable when the id value includes a double-quote character, which disrupts the attribute formatting and enables the injection.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user's browser. This could lead to theft of session cookies or authentication tokens, manipulation of the Document Object Model, injection of phishing content, or even causing the webpage to freeze or crash.

Reproduction

To reproduce this vulnerability, create a Markdown parser with the default Table of Contents (TOC) hook, which generates safe, auto-incremented IDs. Then, replace the default heading_id callback with one that returns raw heading text, including a double-quote and an injected attribute. When the heading is rendered, the id attribute will include the injected content, demonstrating the vulnerability.

Remediation

Users should update to Mistune version 3.2.1 or later, where this vulnerability has been fixed.