New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to turn off all JS put into editor #351

Open
duguying opened this Issue Dec 14, 2014 · 5 comments

Comments

Projects
None yet
3 participants
@duguying

duguying commented Dec 14, 2014

#EpicEditor
This is some default content. Go ahead, _change me_.
<img src="./" onerror="alert('hack')">
@OscarGodson

This comment has been minimized.

Show comment
Hide comment
@OscarGodson

OscarGodson Dec 14, 2014

Owner

EpicEditor has never stripped this stuff because some people want to use JS in there. For example, they want to make something like JSBin with EpicEditor. Maybe turning off all embedded JS should be an option tho?

Owner

OscarGodson commented Dec 14, 2014

EpicEditor has never stripped this stuff because some people want to use JS in there. For example, they want to make something like JSBin with EpicEditor. Maybe turning off all embedded JS should be an option tho?

@duguying

This comment has been minimized.

Show comment
Hide comment
@duguying

duguying Dec 14, 2014

yes, i think maybe an option should be there to

turning off all embedded JS

duguying commented Dec 14, 2014

yes, i think maybe an option should be there to

turning off all embedded JS

@duguying duguying closed this Dec 15, 2014

@OscarGodson OscarGodson reopened this Dec 15, 2014

@OscarGodson

This comment has been minimized.

Show comment
Hide comment
@OscarGodson

OscarGodson Dec 15, 2014

Owner

Reopening so someone can make this an option. Going to update the title a bit tho

Owner

OscarGodson commented Dec 15, 2014

Reopening so someone can make this an option. Going to update the title a bit tho

@OscarGodson OscarGodson changed the title from execuse me, xss in img mark to Option to turn off all JS put into editor Dec 15, 2014

@duguying

This comment has been minimized.

Show comment
Hide comment
@duguying

duguying Dec 16, 2014

ok, thanks

duguying commented Dec 16, 2014

ok, thanks

@massar massar added the Feature label Nov 25, 2015

@massar

This comment has been minimized.

Show comment
Hide comment
@massar

massar Nov 25, 2015

Collaborator

One would effectively need something like https://github.com/microcosm-cc/bluemonday for this but then in Javascript to do it properly.

Seems somebody did a cross compile: https://github.com/mdp/bluemonday-js/
though that is NMP and quite heavy....

If the user or a tool does add text that includes javascript you have lost already: the user can do it anyway, no way to stop it and a tool that already can insert javascript already owns the browser.

Collaborator

massar commented Nov 25, 2015

One would effectively need something like https://github.com/microcosm-cc/bluemonday for this but then in Javascript to do it properly.

Seems somebody did a cross compile: https://github.com/mdp/bluemonday-js/
though that is NMP and quite heavy....

If the user or a tool does add text that includes javascript you have lost already: the user can do it anyway, no way to stop it and a tool that already can insert javascript already owns the browser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment