# Potential CommonMark Exploits

This CommonMark file demonstrates some potential exploits if untrusted input is rendered with a compliant renderer. The point of this file isn't to say that CommonMark is unsafe --- the features below are very useful in many situations and are worth having in the CommonMark spec --- but that it is not safe to give untrusted input to CommonMark renderers without taking precautions.

Github doesn't render gists using CommonMark, so they won't appear as exploits below. **Look at the source of this gist for the actual CommonMark.**

# Exploits

This [link](javascript:alert\(window\)) will execute a script.

[linkrefjs]: javascript:alert("gotcha")

This one [linkrefjs] defined by a linkref will also.

Same with URL autolinks <javascript:alert(window)>. (Email autolinks might be considered unsafe too since they will typically launch an external application.)

Raw HTML blocks can be used to insert links and on _any tag_ arbitrary attributes that can inject scripting:

<a href="" onclick="alert('uh-oh')">click me</a>

Script tags:

<script>alert("yes this ran");</script>

Style tags:

<style>body { margin: 5em; }</style>

and any other tag. They can also appear <script>document.write('inline');</script>.

Images that pull remote content could be used by an attacker to sniff who is rendering the content:

![remote content](https://attacker_domain/track_user.php)

and could also trigger logouts or other actions on sites that have CSRF vulnerabilities.

Image tags can also embed unsafe content, here a data URL holding an SVG image that uses inline scripting:

![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" version="1.1">
  <rect x="0" y="0" width="500" height="500"
  	fill="lime" onclick="alert('Hi there')"/>
</svg>)

(One must also wonder if the embedded XML leads to other vulnerabilities, since XML processing often has network-related unintended consequences.)

Raw HTML can also render XHTML processing instructions, doctypes, and comments which while not generally unsafe could potentially trigger special behavior:

<?something here?>

<!DOCTYPE something>

<!-- rendered as an HTML comment -->

And finally fenced code blocks can cause the insertion of an abitrary CSS tag, generally prefixed by `language-`, but this is implementation dependent, so it may or may not be safe.

```ruby
generates <code class="language-ruby">...
```