Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Electron: Resolves #500: Fixed XSS security vulnerability
- Loading branch information
Showing
3 changed files
with
17 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
494e235
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be an option in settings.
I mean all applications might suffer from XSS when HTML parsing is allowed. How does MediaWiki solve this? How do other apps?
Disabling HTML is a very brutal solution and people who were actually using HTML will not be happy that their notes are broken now.
Just my 2 cents.
494e235
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could say it's a brutal solution... if it was previously supported :-) But actually I was lazy and HTML was enabled only so that the
<br>
tag can be used, as it's needed to insert new lines in table cells and when importing ENEX files (That tag is still supported). Otherwise HTML parsing was never officially supported nor mentioned in the docs so I hope nobody was relying on it too much.Later on, other tags might be supported such as
<img>
but any HTML support will be tag by tag, and not as until now by letting the Chrome runtime execute anything passed to it.494e235
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see. Very good point. ;-) You really gave me a hearty laugh here.
I thought that markdown always allows html tags and that this requirement was in the specs. Never mind then.
Thanks for the info.