Shaarli has Stored Cross-Site Scripting (XSS) via Markdown Reference Links
Description
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting (XSS) vulnerability in the Markdown-to-HTML conversion process used in the Bookmark Description field. An authenticated user can inject a malicious javascript: URI inside a Markdown link. The vulnerability originates in the filterProtocols method within BookmarkMarkdownFormatter.php.This method attempts to sanitize Markdown links by filtering dangerous protocols (such as javascript:) before rendering. It uses the following regular expression: (#]\((.*?)\)#is). This regex is designed to detect inline Markdown links, but it fails to detect Markdown reference-style links because reference-style links are resolved by the Markdown parser after preprocessing. The filterProtocols method never inspects the actual URL used in these references and as a result, an attacker can supply a javascript: URI inside a reference definition. This issue has been fixed in version 0.16.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The `filterProtocols` method's regex only matches inline Markdown links, so reference-style link definitions containing `javascript:` URIs are never sanitized."
Attack vector
An authenticated attacker creates a bookmark and sets the Description field to a Markdown reference-style link, e.g. `[Click Me for XSS][1]` followed by a reference definition `[1]: javascript:alert('XSS_MARKDOWN')`. The `filterProtocols` method does not inspect reference definitions, so the `javascript:` URI passes through unsanitized. When the Markdown parser renders the description to HTML, it produces an `<a>` tag with a malicious `href` attribute. Any user who clicks the rendered link on the homepage triggers the attacker's JavaScript payload [ref_id=1].
Affected code
The vulnerability is in the `filterProtocols` method within `BookmarkMarkdownFormatter.php`. This method attempts to sanitize Markdown links by filtering dangerous protocols (such as `javascript:`) using the regex `(#]\\((.*?)\\)#is)`, which only detects inline Markdown links. It fails to inspect reference-style links because those are resolved by the Markdown parser after preprocessing, so the sanitization never sees the actual URL used in the reference definition [ref_id=1].
What the fix does
The advisory states the issue is fixed in version 0.16.2 [ref_id=1]. The patch is not shown in the bundle, but the fix would need to extend protocol filtering to cover reference-style link definitions, not just inline Markdown links. By sanitizing the URL in the reference definition before the Markdown parser resolves it, the `javascript:` URI would be blocked and the resulting `<a>` tag would have a safe `href` attribute.
Preconditions
- authThe attacker must be authenticated to Shaarli and able to create or edit bookmarks.
- inputThe victim must click the rendered malicious link on the homepage.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/shaarli/Shaarli/releases/tag/v0.16.2mitrex_refsource_MISC
- github.com/shaarli/Shaarli/security/advisories/GHSA-2hgr-63wv-x462mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.