New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
img scr - not working #5
Comments
Sorry. I don't think image URLs will get past the sanitizer so I'm afraid that image support is not an option at the moment. There might be a safe way to enable this but I'm not sure how at the moment. Suggestions welcome |
Actually, the reason this isn't working is because you need to pass a URI policy function to html_sanitize in js/oblong-workflowy.js, e.g.: $markdown.html(html_sanitize(converter.makeHtml(text), function(uri) {return uri;})); This should restore support for images and links. |
Thanks @pjeby but I fear I'd need a suitable URI policy function to enable this safely. Woud this not lead to potential javascipt injection using |
Well, it does need some URI policy, if you're using content created by others. (If you're exclusively using your own items, the lack of filtering is a feature - you can actually use it to modify Workflowy's UI...) I suppose you could provide a couple of configuration options: exclude URLs and include URLs (a pair of case-insensitive regexes). If a URL matches the include and doesn't match the exclude, allow it. The default would exclude javascript: and data: URLs, and the default include could permit relative URLs (including scheme-relative), http, https, and ftp. So: exclude: javascript:|data: The above should put the okay on all relative URLs (i.e., ones lacking a "scheme:" prefix), and exclude prefixes not otherwise defined. (For exclusion purposes, the URL should be checked in both its encoded and decoded forms, so that you can't bypass validation using %-encoding.) |
ok - sounds good I think because of the shareable nature of Workflowy, there is always the potential to unwittingly land on a malicious list which is why the sanitizer is there. I like the idea of having this configurable and your defaults sounds sensible. Just need to find a bit of time to put it together (unless you fancy doing it? :) |
👍 |
Hi,
I try to put
it work but without
so I cant see image in comment section.
The text was updated successfully, but these errors were encountered: