Security Vulnerability

[EgidioRomano]

Hi!

On December 23, 2020 I've tried to reach out to you in order to report details about a security vulnerability in Docsify.js, but I still haven't received any response to my email. Is there an appropriate channel where I should report the security issue?

[anikethsaha]

Can you mail Snyk first regarding the vulnerability. And we will take action once there is a confirmation from them.
Also, feel free to DM us in discord if it helps.
Thanks.

[EgidioRomano]

Hi @anikethsaha,

I can still reproduce the vulnerability with docsify version 4.12.0. By using more than two forward slashes (i.e. ///) is still possible to load an external URL and its HTML content is not correctly sanitized, both in the sidebar and main page:

[sy-records]

@EgidioRomano Can you use this for testing?

<link rel="stylesheet" href="//cdn.jsdelivr.net/gh/sy-records/docsify-nightly/lib/themes/vue.css" />

<script src="//cdn.jsdelivr.net/gh/sy-records/docsify-nightly/lib/docsify.min.js"></script>

or use https://docsify-preview.now.sh/ testing

[EgidioRomano]

Hi @sy-records,

My Proof of Concept doesn't work on https://docsify-preview.now.sh.
Is it running a different version than the one at https://docsify.js.org ?

[sy-records]

Yes, docsify-preview.now.sh is the develop branch preview, docsify.js.org is the master branch.
You can use my nightly version https://github.com/sy-records/docsify-nightly

[snoopysecurity]

If the fix is with the dev branch, is it possible to push it to master and publish a new release @sy-records?

[sy-records]

If the fix is with the dev branch, is it possible to push it to master and publish a new release @sy-records?

cc @docsifyjs/reviewers