VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Sep 21, 2017· Updated May 13, 2026

CVE-2015-3296

CVE-2015-3296

Description

Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript: or (2) data: URLs.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nodebbnpm
< 0.700.70
nodebb-plugin-markdownnpm
< 5.1.15.1.1

Affected products

1
  • NodeBB/Nodebb
    cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
    Range: <=0.6.1

Patches

2
f76d3beb46ab

Disabled data URIs (allow only some whitelisted images)

https://github.com/markdown-it/markdown-itVitaly PuzrinMar 30, 2015via ghsa
commit
2 files changed · +41 5
  • lib/index.js+26 5 modified
    @@ -20,20 +20,41 @@ var config = {
   commonmark: require('./presets/commonmark')
 };
 
-
-var BAD_PROTOCOLS    = [ 'vbscript', 'javascript', 'file' ];
+////////////////////////////////////////////////////////////////////////////////
+//
+// This validator does not pretent to functionality of full weight sanitizers.
+// It's a tradeoff between default security, simplicity and usability.
+// If you need different setup - override validator method as you wish. Or
+// replace it with dummy function and use external sanitizer.
+//
+
+var BAD_PROTOCOLS      = [ 'vbscript', 'javascript', 'file', 'data' ];
+var ALLOWED_DATA_MIMES = [
+  'data:image/gif',
+  'data:image/png',
+  'data:image/jpeg',
+  'data:image/webp'
+];
 
 function validateLink(url) {
   // url should be normalized at this point, and existing entities are decoded
-  //
-  var str = url.trim().toLowerCase();
 
-  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
+  var str      = url.trim().toLowerCase(),
+      protocol = str.split(':')[0];
+
+  if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(protocol) >= 0) {
+    if (protocol === 'data' && ALLOWED_DATA_MIMES.indexOf(str.split(';')[0]) >= 0) {
+      return true;
+    }
     return false;
   }
+
   return true;
 }
 
+////////////////////////////////////////////////////////////////////////////////
+
+
 var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ];
 
 function normalizeLink(url) {
  • test/fixtures/markdown-it/xss.txt+15 0 modified
    @@ -53,6 +53,21 @@ Should not allow some protocols in links and images
 .
 
 
+Should not allow data-uri except some whitelisted mimes
+.
+![](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
+.
+<p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt=""></p>
+.
+
+.
+[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
+.
+<p>[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)</p>
+.
+
+
+
 Image parser use the same code base.
 .
 ![xss link](javascript:alert(1))
ab7f26847508

updated plugin to use markdown-it instead of remarkable, and updated validateLink method to discard all data-uris, until a solution is developed upstream.

https://github.com/NodeBB/nodebb-plugin-markdownJulian LamMar 30, 2015via ghsa
commit
2 files changed · +14 3
  • index.js+13 2 modified
    @@ -1,7 +1,7 @@
 (function() {
 	"use strict";
 
-	var	Remarkable = require('remarkable'),
+	var	MarkdownIt = require('markdown-it'),
 		fs = require('fs'),
 		path = require('path'),
 		url = require('url'),
@@ -67,7 +67,18 @@
 					_self.highlight = _self.config.highlight || true;
 					delete _self.config.highlight;
 
-					parser = new Remarkable(_self.config);
+					parser = new MarkdownIt(_self.config);
+
+					// Override the link validator from MarkdownIt, so you cannot link directly to a data-uri
+					parser.validateLink = function(url) {
+						var BAD_PROTOCOLS    = [ 'vbscript', 'javascript', 'file', 'data' ];
+						var str = url.trim().toLowerCase();
+
+						if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) {
+							return false;
+						}
+						return true;
+					}
 				});
 			},
  • package.json+1 1 modified
    @@ -18,7 +18,7 @@
     "url": "https://github.com/julianlam/nodebb-plugin-markdown/issues"
   },
   "dependencies": {
-    "remarkable": "^1.3.0"
+    "markdown-it": "^4.0.3"
   },
   "nbbpm": {
     "compatibility": "^0.7.0"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.