Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS怎么破?? #560

Open
KevinBlandy opened this issue Apr 12, 2018 · 3 comments
Open

XSS怎么破?? #560

KevinBlandy opened this issue Apr 12, 2018 · 3 comments

Comments

@KevinBlandy
Copy link

markdown。太多XSS漏洞了,大家都是怎么解决这个问题的?

@KevinBlandy KevinBlandy changed the title XSS XSS怎么破?? Apr 12, 2018
@hawtim
Copy link

hawtim commented May 3, 2018

@KevinBlandy 你可能已经开启了 html 解析功能,我这边的实践是使用了配置项 htmlDecode: 'script |on*', 也就是开启html解析然后过滤 dom 的 on 属性。目前主仓库使用 on* 之后会有 bug, 你可以查看我的 fork 仓库,已经修复了一些 xss 的问题,具体可以看提交记录

@KevinBlandy
Copy link
Author

我使用了另一个js的xss库来处理了markdown解析为html时带来的xss问题。

@hawtim
Copy link

hawtim commented May 3, 2018

嗯之前有使用这个,后来是项目历史问题必须兼顾之前的html解析方式,所以从源码进行处理。

alromh87 added a commit to alromh87/editor.md that referenced this issue Sep 10, 2020
fixes #pandao#612
fixes #pandao#662
fixes #pandao#697
fixes #pandao#700
fixes #pandao#701
fixes #pandao#709
fixes #pandao#715
fixes #pandao#764
fixes #pandao#816

### Probably:
fixes #pandao#307
fixes #pandao#560
alromh87 added a commit to alromh87/editor.md that referenced this issue Sep 10, 2020
fixes #pandao#612
fixes #pandao#662
fixes #pandao#697
fixes #pandao#700
fixes #pandao#701
fixes #pandao#709
fixes #pandao#715
fixes #pandao#764
fixes #pandao#816

fixes #pandao#307
fixes #pandao#560
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants