nicole
/
pique
1
0
Fork 0
Code Pull Requests Activity

Escape HTML while parsing Markdown documents to remove XSS vulnerabilities #4

Merged
nicole merged 1 commits from fix-xss-vulnerability into main 2024-06-03 18:15:53 +00:00
Conversation 0 Commits 1 Files Changed 1 +14 -1
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/models/documents.rs
View File

@ -25,8 +25,21 @@ impl Document {
let parser = markdown::Parser::new_ext(&self.content, options);
// If we just process things as they are, we are vulnerable to XSS
// attacks, since users can inject any HTML they'd like. To prevent
// this, we convert any parsed HTML to just text. In the future, we can
// instead sanitize the HTML using something like
// [ammonia](https://crates.io/crates/ammonia) to make the HTML safer.
// Draws inspiration from
// [pulldown-cmark/pulldown-cmark#608](https://github.com/pulldown-cmark/pulldown-cmark/issues/608)
let escaped = parser.into_iter().map(|event| match event {
markdown::Event::Html(html) => markdown::Event::Text(html),
markdown::Event::InlineHtml(html) => markdown::Event::Text(html),
_ => event,
});
let mut html_output = String::new();
markdown::html::push_html(&mut html_output, parser);
markdown::html::push_html(&mut html_output, escaped);
html_output
}