-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add markdown sanitization for malicious notebooks #1315
fix: add markdown sanitization for malicious notebooks #1315
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
```` | ||
|
||
Nested fence | ||
````text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i didnt even know 4 ticks was a way to nest 3 ticks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great test cases
🚀 Development release published. You may be able to view the changes at https://marimo.app?v=0.4.12-dev2 |
* fix: add markdown sanitization for malicious notebooks * *sufficient * fix: check for code block by regex
Was looking over the merge this morning and realized it would be possible to "inject" code blocks.
I don't think this could be used that maliciously since running a notebook is already pretty risky. Maybe injecting a <script> tag that would only appear during conversion.
Either way, it's a bug. If you can think of more unsafe behavior let me know. Might be a cool chance to use one of those LLM fuzzers.