-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] XSS issue when rendering article content and comments using markdown library #144
Comments
This should be fixed in most browsers by CSP when this is fully implemented. As for older browsers, we should be encoding the user input when saving it to the database and / or displaying the content. |
I just noticed that we appear to be using the Westwind.AspNetCore.Markdown package and the Is this perhaps a bug in that framework? |
Our team has used HtmlSanitizer in the past. I will did out the code from another project, because you do have to be aware of nefarious people "encoding/ escaping" script tags and suchlike, which means you may have to run the sanitizer several times against the content. not sure. |
Hi @ashleybroughton , I think Mr Strahl’s response to the issue you raised is rather naive. We need a better solution. |
Hi @essenbee . I did try HtmlSanitizer quickly, but I don't have much experience with it. It just seemed to turn the resulting markdown HTML into encoded tags, which means we don't get any of the markdown benefits. This is definitely something we need to find a good solution for. Edit: This is how I was using it It turns this into this |
This could lead to some nefarious edits.
The text was updated successfully, but these errors were encountered: