[security] can inject JS into page via markdown files #45

lucacasonato · 2019-10-24T22:07:31Z

Currently it is possible to inject javascript into pages that render markdown using, for example, a <img> element. This element has an onload parameter that will execute any JS that is passed to it once is succeeds/fails in loading the image.

Instead of blacklisting tags like we do now - currently only <script> is blacklisted - we should whitelist 'known good' tags like comments and <div>. The whitelist Github uses is more complex and is 'documented' here. It also takes the actual params of the tags into account.

The text was updated successfully, but these errors were encountered:

lucacasonato mentioned this issue Oct 26, 2019

Support documentation and source viewing for arbitrary URLs #75

Closed

ry mentioned this issue Nov 7, 2019

Make markdown html allowences more restrictive #105

Merged

ry closed this as completed in #105 Nov 7, 2019

lucacasonato added a commit to lucacasonato/dotland that referenced this issue May 13, 2020

Removed line numbers on homepage (denoland#45)

c8a7c0b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] can inject JS into page via markdown files #45

[security] can inject JS into page via markdown files #45

lucacasonato commented Oct 24, 2019

[security] can inject JS into page via markdown files #45

[security] can inject JS into page via markdown files #45

Comments

lucacasonato commented Oct 24, 2019