Parsed DisallowedRawHtml Extension, XSS Bypass via Whitespace Injection, CVE-2024-XXXXX (Critical)

Listen to this Post

How the mentioned CVE works

The DisallowedRawHtml extension, used to process untrusted markdown, contains a critical flaw in its regex pattern designed to block dangerous HTML tags like <script>. The vulnerability stems from the regex character class [ \/>], which only looked for a space, forward slash, or closing bracket to terminate a tag name. It failed to account for other ASCII whitespace characters that browsers recognize as valid separators between a tag name and its closing >. An attacker can bypass the filter by inserting a newline (\n), tab (\t), or other whitespace character directly after the tag name. For example, the payload `` passes through the filter undetected. When this payload is rendered in a victim’s browser, the browser ignores the newline and parses it as a valid `

Scroll to Top