Prevent image injection in default Markdown renderer

GEWIS / gewisweb

GEWIS Website

https://gewis.nl

GNU General Public License v3.0

16 stars 33 forks source link

Prevent image injection in default Markdown renderer #1780

Closed tomudding closed 5 months ago

tomudding commented 5 months ago

Current behaviour

It is currently possible to bypass the safety checks of the default Markdown editor to be able to render images through the default Markdown renderer.

Desired behaviour

![]() should always be rendered as text

Steps to reproduce

TBA

Website version

06e37b2e379bb486758d8c342a89dc6f7d6b3561

What operating are you seeing the problem on?

No response

What browsers are you seeing the problem on?

No response

Other information

No response

tomudding commented 5 months ago

Is fixed by creating a custom CommonMarkCoreExtension that does not have the default ImageRenderer.