New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent XSS #266
Comments
Perhaps use something like https://github.com/cure53/DOMpurify or https://github.com/apostrophecms/sanitize-html |
Added DOMPurify ( https://github.com/search?q=repo%3Alinkeddata%2Fdokieli+dompurify&type=commits ) and using it in a few places. It is an improvement. It needs more reviewing and updating. For example, what to do with Lines 5695 to 5700 in 64a80f7
Leave this issue open or create new issues based on chaos? |
Another question is whether something like DOMPurify should be done at a lower level, in the first callbacks before passing it to other functions? It needs to be limited to markup languages and possibly also plain text, otherwise it seems to mess up some of the concrete RDF syntaxes. By default it gets rid of |
Some XSS prevention rules mentioned at https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ( archived: https://web.archive.org/web/20181129114024/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ) can be implemented. Labeling this issue as bug because we didn't systematically address this. Only in parts.
The text was updated successfully, but these errors were encountered: