You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 29, 2023. It is now read-only.
Currently it is possible to inject javascript into pages that render markdown using, for example, a <img> element. This element has an onload parameter that will execute any JS that is passed to it once is succeeds/fails in loading the image.
Instead of blacklisting tags like we do now - currently only <script> is blacklisted - we should whitelist 'known good' tags like comments and <div>. The whitelist Github uses is more complex and is 'documented' here. It also takes the actual params of the tags into account.
The text was updated successfully, but these errors were encountered:
Currently it is possible to inject javascript into pages that render markdown using, for example, a
<img>
element. This element has an onload parameter that will execute any JS that is passed to it once is succeeds/fails in loading the image.Instead of blacklisting tags like we do now - currently only
<script>
is blacklisted - we should whitelist 'known good' tags like comments and<div>
. The whitelist Github uses is more complex and is 'documented' here. It also takes the actual params of the tags into account.The text was updated successfully, but these errors were encountered: