New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerability in some tags #4
Comments
FYI, I just bumped the version to 1.0.9 and pushed it to PyPi. Thanks for the report. |
np, but i find new bug 116cb20#commitcomment-2807750 :] planed migrate dajngobb from postmarkup to u lib |
That's not a bug, it's just how the parser works. See my followup comment. You can quote the URL if it has spaces, but I doubt this will be much of an issue in practice. Browsers escape spaces for you (if you copy them), URLs don't tend to have spaces in them, and who types out URLs? :) Glad to hear you're using my code! |
ok, tnx) postmarkup do this in other way but u right |
This is still an issue. These still work:
|
FYI, I added a couple more XSS fixes to the url tag and default linker that should address those examples. |
another passive xss ;) |
Fixed in e23f5ae |
Solution: escaping more symbols like ", '. All returned html values between tags must be escaped.
check as this done in django for example https://github.com/django/django/blob/master/django/utils/html.py#L39
The text was updated successfully, but these errors were encountered: