nicole/pique
1
0
Fork 0
Code Pull requests Activity

Escape HTML while parsing Markdown documents to remove XSS vulnerabilities #4

Merged
nicole merged 1 commit from fix-xss-vulnerability into main 2024-06-03 18:15:53 +00:00
Conversation 0 Commits 1 Files changed 1 +14 -1
nicole commented 2024-06-03 18:15:46 +00:00
Owner
Copy link

Here, I opted to use the Markdown parser's detection of HTML so that we don't add another library. This does limit users somewhat, because it means that no inline HTML is allowed, but I think this is acceptable: this is a platform for project management, not general-purpose publishing, so inline HTML is probably not necessary. There is a clear upgrade path in the future to add sanitizing instead of escaping tags, if we want.

This approach also gives us a clear place to plug in detection of extra things, like custom @ tags or other features.

Here, I opted to use the Markdown parser's detection of HTML so that we don't add another library. This does limit users somewhat, because it means that *no* inline HTML is allowed, but I think this is acceptable: this is a platform for project management, not general-purpose publishing, so inline HTML is probably not necessary. There is a clear upgrade path in the future to add sanitizing instead of escaping tags, if we want. This approach also gives us a clear place to plug in detection of extra things, like custom `@` tags or other features.
nicole added 1 commit 2024-06-03 18:15:47 +00:00
nicole merged commit 0611aac45f into main 2024-06-03 18:15:53 +00:00
nicole deleted branch fix-xss-vulnerability 2024-06-03 18:15:53 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: nicole/pique#4
No description provided.
Delete branch "fix-xss-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?