Inject javascript into markDown #6526

fschade · 2022-03-04T10:27:36Z

Steps to reproduce

create space
edit description
add [link](javascript:alert('aaa')) as content
click the link in the rendered markdown

Expected behaviour

web should prevent to inject javascript or other possible dynamic contents.

Actual behaviour

javascript can be injected and executed from/for all space members

Solution

for now we sanitize the md rendered content and restrict those options, as a long term goal the backend also should handle those situations and strip out potential code parts.

The text was updated successfully, but these errors were encountered:

C0rby · 2022-03-04T10:30:11Z

as a long term goal the backend also should handle those situations and strip out potential code parts.

I don't think that this is necessary or a good idea. You might want to sync markdown files with html img tags and so on but we don't want to display that in the spaces description. I think it makes sense to just let the frontend sanitize the content before displaying.

fschade mentioned this issue Mar 4, 2022

Introduce sanitizeHtml to sanitize markdown content #6523

Merged

10 tasks

pascalwengerter closed this as completed in #6523 Mar 4, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Inject javascript into markDown #6526

Inject javascript into markDown #6526

fschade commented Mar 4, 2022

C0rby commented Mar 4, 2022 •

edited

Loading

Inject javascript into markDown #6526

Inject javascript into markDown #6526

Comments

fschade commented Mar 4, 2022

Steps to reproduce

Expected behaviour

Actual behaviour

Solution

C0rby commented Mar 4, 2022 • edited Loading

C0rby commented Mar 4, 2022 •

edited

Loading