<script> cuts off post, crashes editor after save
#857
Comments
|
I sense an XSS vulnerability too. Probably time to get that CSP middleware in... |
|
Ghost currently allows all HTML tags in the editor. This could lead to some unwanted behavior as described above or worse to XSS vulnerabilities. One solution would be restricting the allowed inline HTML tags similar to Stackoverflow.com: http://meta.stackoverflow.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites |
|
We can also filter the HTML to ensure all tags are balanced properly. |
|
That said, we should be escaping all HTML that appears inside back ticks. Happy to take this one. |
|
First, we should make it so that what this guy did doesn't cause an enormous crash and unrecoverable post This sounds like a lot for one issue... so lets say the desired outcome from this issue is that the editor doesn't explode completely when users do stupid stuff if possible? The other items can be separate issues I think. |
|
So, the main problem to fix, it would seem, is getting codemirror to treat the html in codemirror as text and not execute stuff :/ This comment has script tags in it like this:
But github doesn't execute the code, currently ghost does... eek |
closes TryGhost#857 - markdown is inserted into codemirror with .text() not .html()
ghost
assigned
|
The tiny change from using .html() to using .text() solves the majority of the problem. No HTML in the editor is treated as HTML, HTML inside of back ticks is correctly escaped, and although we could balance tags, it's much more obvious that tags are in balanced now, because it breaks in a much more reliable way - if you put a single script tag in, nothing afterwards gets rendered. I'm really not sure about limiting tags at this stage, there are lots of valid use cases for having script tags inside of posts, such as embedding gists Casper#26 I'm gonna close this for now and think some more about tag balancing and limiting. |
From the forum
I tried publishing following article, that previously was served through poet: (careful, german!):
http://pastebin.com/dAj48CBp
At the
<script>part Ghost seems to fail after the post is saved. When I open it again the last visible character of the post is the ` and I can’t edit the post, the markdown preview is not generated.I’m on 0.3, using Firefox 24, Arch Linux
Am I doing it wrong or should this be escaped somehow?
The text was updated successfully, but these errors were encountered: