-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS怎么破?? #560
Comments
@KevinBlandy 你可能已经开启了 html 解析功能,我这边的实践是使用了配置项 htmlDecode: 'script |on*', 也就是开启html解析然后过滤 dom 的 on 属性。目前主仓库使用 on* 之后会有 bug, 你可以查看我的 fork 仓库,已经修复了一些 xss 的问题,具体可以看提交记录 |
我使用了另一个js的xss库来处理了markdown解析为html时带来的xss问题。 |
嗯之前有使用这个,后来是项目历史问题必须兼顾之前的html解析方式,所以从源码进行处理。 |
alromh87
added a commit
to alromh87/editor.md
that referenced
this issue
Sep 10, 2020
fixes #pandao#612 fixes #pandao#662 fixes #pandao#697 fixes #pandao#700 fixes #pandao#701 fixes #pandao#709 fixes #pandao#715 fixes #pandao#764 fixes #pandao#816 ### Probably: fixes #pandao#307 fixes #pandao#560
alromh87
added a commit
to alromh87/editor.md
that referenced
this issue
Sep 10, 2020
fixes #pandao#612 fixes #pandao#662 fixes #pandao#697 fixes #pandao#700 fixes #pandao#701 fixes #pandao#709 fixes #pandao#715 fixes #pandao#764 fixes #pandao#816 fixes #pandao#307 fixes #pandao#560
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
markdown。太多XSS漏洞了,大家都是怎么解决这个问题的?
The text was updated successfully, but these errors were encountered: