Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
XSS with HTML entities #592
HTML entities in the browser are not strict and parse what they can and leaving the rest behind. For example
@matt- Remarkable looks great (very very clean) but it's about 6x the size of Marked. For some use-cases (client-side) it seems like Marked would be preferable on those grounds (though for anything else I'm probably going to be using remarkable given the focus on performance).
referenced this pull request
May 31, 2016
EDIT: I was mistaken, this is still valid. Just had some more post processing that was causing it to not be reproducible in my app.
"Latest commit 88ce4df on Jul 31, 2015" This issue is not resolved and has not been even been touched.
Example where marked works correctly:
Example this PR resolves with bad entities:
If you think this is still some how resolved please read this blog to better understand the issue:
From the first sentence in this PR: "With the sanitize option on" This lib has a sanitize mode that is intended to block normal HTML and prevent xss. https://github.com/chjj/marked#sanitize