Markdown links are not sanitized in chat #20

Open
opened 2026-03-02 13:09:56 +00:00 by sarkazm · 0 comments

Description

Markdown links allow unsafe URL schemes (such as javascript:, data:, and file:) to render as clickable links. The browser may display a warning or block execution, but the application itself does not sanitize or restrict these schemes before rendering. Protection is only at the browser level rather than at the application level. Potential XSS attack surface.

Steps to Reproduce

  1. Navigate to Empirian Hall and open a channel
  2. Post the following messages:
     [click me](javascript:alert(1))
     [click me](JaVaScRiPt:alert(1))
     [click me](data:text/html,<script>alert(1)</script>)
     [click me](file:///lulz/test)
     [click me](mailto:LegitEmail@TotallyNotSus.com)
  1. Each renders as an underlined, clickable link
  2. Click the links

Expected Behavior

  • Markdown links should only allow safe URL schemes (e.g., https:, http:)
  • Javascript:, data:, and file: should be rendered as plain text, or be stripped/neutralized before rendering
  • The application should not rely on browser warnings or blocking behavior for protection

Actual Behavior

  • Links using javascript:, data:, and file: render as clickable links
  • Clicking them may trigger a browser warning or open a blank tab
  • The application does not sanitize or restrict unsafe links created using Markdown

Environment

## Description Markdown links allow unsafe URL schemes (such as javascript:, data:, and file:) to render as clickable links. The browser may display a warning or block execution, but the application itself does not sanitize or restrict these schemes before rendering. Protection is only at the browser level rather than at the application level. Potential XSS attack surface. ## Steps to Reproduce 1. Navigate to Empirian Hall and open a channel 2. Post the following messages: ``` [click me](javascript:alert(1)) [click me](JaVaScRiPt:alert(1)) [click me](data:text/html,<script>alert(1)</script>) [click me](file:///lulz/test) [click me](mailto:LegitEmail@TotallyNotSus.com) ``` 3. Each renders as an underlined, clickable link 4. Click the links ## Expected Behavior - Markdown links should only allow safe URL schemes (e.g., https:, http:) - Javascript:, data:, and file: should be rendered as plain text, or be stripped/neutralized before rendering - The application should not rely on browser warnings or blocking behavior for protection ## Actual Behavior - Links using javascript:, data:, and file: render as clickable links - Clicking them may trigger a browser warning or open a blank tab - The application does not sanitize or restrict unsafe links created using Markdown ## Environment - Device: PC - Browser: Chrome - OS: Windows - URL: https://community.the-empiric.com/app
Sign in to join this conversation.