Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

img scr - not working #5

Open
suaw3k opened this issue Nov 23, 2012 · 6 comments
Open

img scr - not working #5

suaw3k opened this issue Nov 23, 2012 · 6 comments
Labels
enhancement

Comments

@suaw3k
Copy link

suaw3k commented Nov 23, 2012

Hi,

I try to put

     ![Alt text] (url)

it work but without

     scr="<url>"

so I cant see image in comment section.
@medovob
Copy link
Owner

medovob commented Nov 27, 2012

Sorry. I don't think image URLs will get past the sanitizer so I'm afraid that image support is not an option at the moment. There might be a safe way to enable this but I'm not sure how at the moment.

Suggestions welcome

@pjeby
Copy link

pjeby commented Feb 10, 2013

Actually, the reason this isn't working is because you need to pass a URI policy function to html_sanitize in js/oblong-workflowy.js, e.g.:

$markdown.html(html_sanitize(converter.makeHtml(text), function(uri) {return uri;}));

This should restore support for images and links.

@medovob
Copy link
Owner

medovob commented Feb 18, 2013

Thanks @pjeby but I fear I'd need a suitable URI policy function to enable this safely.

Woud this not lead to potential javascipt injection using href="javascript:doSomethingNasty();" ?

@pjeby
Copy link

pjeby commented Feb 18, 2013

Well, it does need some URI policy, if you're using content created by others. (If you're exclusively using your own items, the lack of filtering is a feature - you can actually use it to modify Workflowy's UI...)

I suppose you could provide a couple of configuration options: exclude URLs and include URLs (a pair of case-insensitive regexes). If a URL matches the include and doesn't match the exclude, allow it. The default would exclude javascript: and data: URLs, and the default include could permit relative URLs (including scheme-relative), http, https, and ftp. So:

exclude: javascript:|data:
include: http:|https:|ftp:|(?![a-z][-+.a-z0-9]*:)

The above should put the okay on all relative URLs (i.e., ones lacking a "scheme:" prefix), and exclude prefixes not otherwise defined. (For exclusion purposes, the URL should be checked in both its encoded and decoded forms, so that you can't bypass validation using %-encoding.)

@medovob
Copy link
Owner

medovob commented Feb 19, 2013

ok - sounds good

I think because of the shareable nature of Workflowy, there is always the potential to unwittingly land on a malicious list which is why the sanitizer is there. I like the idea of having this configurable and your defaults sounds sensible.

Just need to find a bit of time to put it together (unless you fancy doing it? :)

@Pickachu
Copy link

Pickachu commented Mar 2, 2013

👍

s5unty added a commit to s5unty/workflowy-for-coders that referenced this issue Aug 18, 2015
@s5unty
img scr - not working medovob#5, may be fixed
3477b36
@s5unty s5unty mentioned this issue Aug 18, 2015
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Pickachu @medovob @suaw3k @pjeby