Marko XSS Vulnerability: Case-Insensitive Tag Bypass in Script/Style Tags

XSS via case-insensitive / bypass with unsafe text interpolation within / tags Vulnerability Overview Marko's runtime fails to prevent tag breaking when closing tags are written in non-lowercase case, leading to dynamic text insertion into or tags. Attackers can inject input within or blocks, break out of the tags, and inject arbitrary HTML/JavaScript using mixed-case forms such as or , resulting in Cross-Site Scripting (XSS). Affected Versions Affected versions: - = 6.0.164 - >= 5.38.36 For affected versions, as a short-term mitigation, perform pre-cleaning of data before it reaches the template location to ensure all untrusted data is normalized before being inserted into or tags. POC Code Detailed Description Root Cause: - The helper functions use case-sensitive regular expressions to detect attempts to close surrounding tags. - HTML tag names are case-insensitive in browser parsers. Consequently, inputs like , , or are not matched by these regular expressions and are passed through the helper functions unchanged. When the browser renders the output, it treats mixed-case closing tags as valid terminators, ending the script or style context and parsing any following content as HTML. PoC Example: Impact: - Any Marko templates that explicitly interpolate untrusted data are affected. - Stored XSS is trivial if the values originate from any persistent user input (usernames, profiles, comments, etc.) and are later embedded into script tags during rendering. - Exploitation leads to arbitrary JavaScript execution in the victim's browser, enabling session hijacking, account takeover, and arbitrary actions performed as the victim. Patch: - Commit fixes HTML script, style, and comment escaping issues. - Introduces the helper function and the corresponding , enhancing HTML comment escaping as a related preventive measure. - Test functionality added for , , and . Workarounds Upgrade to the fixed versions. As a short-term mitigation, pre-clean data before it reaches the template location to ensure all untrusted data is normalized before being inserted into or tags.

Goal Reached Thanks to every supporter — we hit 100%!

Marko XSS Vulnerability: Case-Insensitive Tag Bypass in Script/Style Tags

More from this source