New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use HTML inside comment #40
Comments
The content of the comment is escaped on purpose. If you insert the content into DOM without escaping it, malicious users may inject javascript to the site. For example, if you post a comment
and insert it to DOM straight up, all the users be prompted with "Hi there!". |
Yes i thought about that. |
The issue is not that trivial you may think, please check out the list of possible vulnerabilities at: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet. There's a good reason why Facebook, Google and even Github won't support pure html comments, if you wish to implement something like this, I recommend using a Markdown approach like it's implemented here in Github |
Ok i see. I know it's bad anyway, but i'm using it on a intranet portal, no one inside a single company wants to inject some JS in a comment. If he wants to do it, he will suffer some consequences because i use comment history. In the future i will implement that markdown approach. |
I feel same as you LESARQ. Instead of force escaping the comment, it might be given as an option such as |
Is there any way to use HTML inside the comment?
To do this i changed the following line:
1593:
content.html(this.linkify(this.escape(commentModel.content)));
to
1593:
content.html(this.linkify(commentModel.content));
The text was updated successfully, but these errors were encountered: