-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Injection Vulnerability using SummernoteInplaceWidget #415
Comments
There is a note about this in the instructions that says something like use 'summernotetextfield' which uses bleach to sanitize html.
because I'm using mozilla on my development I can't view iframes from localhost, so I can't' know if the implementation of bleach is successful. I have tried using bleach separately but it removes tags and attributes, but doesn't seem to handle onerror successfully, although I haven't spent a lot of time on it yet. |
Also, in the latest django_summernote from pypi, there is no bleach at all.
and in a directory listing, there is no settings.py, so no bleach at all. |
if its any consolation the same thing happens with django_tinymce. I am guessing the correct answer is to catch the text in the form_valid function and regex out any annoying stuff. Shame bleach doesn't work, although I have opened an issue at |
Ok, it seems it was my fault. Bleach does work, but not on escaped html. So, I now run
and bleach strips the onerror tag as expected. |
Of course, django_summernote has got bleach baked in, at least it will do, when pypi is updated.... :( |
It is annoying that the package on Pypi has not included the bleach feature yet. |
Hi, I have detected that a user can make an xss attack with the data he enters.
How could I solve it?
Reproduce steps
Code
The text was updated successfully, but these errors were encountered: