Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Do not allow SVG by default #3640
Today I got a report by Gregor Godbersen that our markdown XSS filter was ineffective because we always allowed SVG tags, which can be exploited with the following markdown:
Filtering SVG tags by default was removed in #3458 because no one could remember why it was there. Thanks to Gregor we remember.
This issue only impacts Home Assistant 0.98. The
Hass.io has not had a UI release since #3458 was merged, so it was not impacted. Hass.io does render external markdown (add-on descriptions) but the existing XSS was in place.