bc1bb/OpenLongr
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

Outdated Parsedown 1.7.4 with known XSS bypasses in safe mode #8

New issue
Open
opened 2026-05-14 21:15:21 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:15:21 +02:00
Copy link

Problem

composer.lock pins erusev/parsedown at version 1.7.4 (released 2019-12-30). Parsedown's safe mode — enabled with $Parsedown->setSafeMode(true) — is the application's sole defense against XSS when storing user-submitted messages. Version 1.7.4 is the last stable release on the 1.x line and has not received security updates since 2019.

Location

composer.lock, erusev/parsedown entry
message.php, lines 42–45 (safe mode usage)

Risk

Multiple XSS bypasses in Parsedown 1.7.x safe mode have been publicly documented (e.g. via crafted image alt text, link titles, and inline HTML fragments that survive safe-mode filtering). Since the stored HTML is rendered raw in index.php (see related issue), any successful bypass results in stored XSS for all visitors of that message. The library appears unmaintained on the 1.x branch, so no patch is forthcoming.

Suggested fix direction

  • Replace Parsedown with an actively maintained Markdown library such as league/commonmark, and add a dedicated HTML sanitizer (e.g. ezyang/htmlpurifier or masterminds/html5) as a post-processing step.
  • Alternatively, if Parsedown must be kept, add HTMLPurifier as a second sanitization pass over its output before storing to the database.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem `composer.lock` pins `erusev/parsedown` at version `1.7.4` (released 2019-12-30). Parsedown's safe mode — enabled with `$Parsedown->setSafeMode(true)` — is the application's sole defense against XSS when storing user-submitted messages. Version 1.7.4 is the last stable release on the 1.x line and has not received security updates since 2019. ## Location `composer.lock`, `erusev/parsedown` entry `message.php`, lines 42–45 (safe mode usage) ## Risk Multiple XSS bypasses in Parsedown 1.7.x safe mode have been publicly documented (e.g. via crafted image alt text, link titles, and inline HTML fragments that survive safe-mode filtering). Since the stored HTML is rendered raw in `index.php` (see related issue), any successful bypass results in stored XSS for all visitors of that message. The library appears unmaintained on the 1.x branch, so no patch is forthcoming. ## Suggested fix direction - Replace Parsedown with an actively maintained Markdown library such as `league/commonmark`, and add a dedicated HTML sanitizer (e.g. `ezyang/htmlpurifier` or `masterminds/html5`) as a post-processing step. - Alternatively, if Parsedown must be kept, add `HTMLPurifier` as a second sanitization pass over its output before storing to the database. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLongr#8
No description provided.