Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent potential XSS by default #188

Open
vincentjames501 opened this issue Oct 12, 2022 · 1 comment
Open

Prevent potential XSS by default #188

vincentjames501 opened this issue Oct 12, 2022 · 1 comment
Labels
bug help wanted

Comments

@vincentjames501
Copy link

vincentjames501 commented Oct 12, 2022
edited

Example markdown:

[click me](javascript:window.onerror=alert;throw%20document.URL)

Markdown clj will render:

image

Maybe we force folks to specify specific protocols they want to support and validate the urls? We just discovered this and haven't done much analysis at this point.

This is what other popular Java markdown tools do:

https://github.com/commonmark/commonmark-java/blob/main/commonmark/src/main/java/org/commonmark/renderer/html/DefaultUrlSanitizer.java

Note, this doesn't affect other online editors either:

https://dillinger.io/
https://stackedit.io/app#
https://jbt.github.io/markdown-editor/
@yogthos
Copy link
Owner

yogthos commented Oct 19, 2022

Yeah, that looks like it would need additional sanitizing to be done. Any chance you'd have a chance to take a look at adding escaping for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yogthos @vincentjames501