Escape HTML in output so that we don't have XSS vulnerabilities
This commit is contained in:
parent
137dfa747d
commit
5a630659e2
1 changed files with 14 additions and 1 deletions
|
@ -25,8 +25,21 @@ impl Document {
|
||||||
|
|
||||||
let parser = markdown::Parser::new_ext(&self.content, options);
|
let parser = markdown::Parser::new_ext(&self.content, options);
|
||||||
|
|
||||||
|
// If we just process things as they are, we are vulnerable to XSS
|
||||||
|
// attacks, since users can inject any HTML they'd like. To prevent
|
||||||
|
// this, we convert any parsed HTML to just text. In the future, we can
|
||||||
|
// instead sanitize the HTML using something like
|
||||||
|
// [ammonia](https://crates.io/crates/ammonia) to make the HTML safer.
|
||||||
|
// Draws inspiration from
|
||||||
|
// [pulldown-cmark/pulldown-cmark#608](https://github.com/pulldown-cmark/pulldown-cmark/issues/608)
|
||||||
|
let escaped = parser.into_iter().map(|event| match event {
|
||||||
|
markdown::Event::Html(html) => markdown::Event::Text(html),
|
||||||
|
markdown::Event::InlineHtml(html) => markdown::Event::Text(html),
|
||||||
|
_ => event,
|
||||||
|
});
|
||||||
|
|
||||||
let mut html_output = String::new();
|
let mut html_output = String::new();
|
||||||
markdown::html::push_html(&mut html_output, parser);
|
markdown::html::push_html(&mut html_output, escaped);
|
||||||
|
|
||||||
html_output
|
html_output
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue