Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

How to solve XSS problem in better way? #106

Closed
allenhsu opened this Issue Jun 21, 2013 · 2 comments

Comments

Projects
None yet
2 participants

I'm working on a project whose contents are generated by users. So XSS should be taken care of. With code similar to the following one, users can generate a javascript link, which causes XSS problems.

[Link](javascript:alert('XSS'))

How can I prevent XSS problem in a better way?

BTW, is there any way to configure which tags are supported?

Owner

michelf commented Jun 21, 2013

Use a separate XSS filter.
http://michelf.ca/blog/2010/markdown-and-xss/

There's no way to configure which tags are allowed and which are not in the Markdown parser. But if you use a good XSS filter you should be able to whitelist permissible tags, and attributes.

Thanks, according to the blog, I'll give kses a try. I've also found htmlpurifier.org

@michelf michelf closed this Jun 22, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment