Closed carboxylman closed 1 year ago
carboxylman
commented
1 year ago https://github.com/icsdataset/hai is a good example artifact, since its README.md uses both inline HTML (table) and a standard markdown table. Our current vue-simple-markdown doesn't render either.
carboxylman
commented
1 year ago My preferred path to "solve" this is probably to move to showdown and sanitize its output (e.g. with https://www.npmjs.com/package/vue-sanitize) before render. There is a vue2 showdown plugin (https://github.com/meteorlxy/vue-showdown/tree/v2/docs/guide) although upstream has moved to v3. Or there is also https://www.npmjs.com/package/vue2-markdown-it .
carboxylman
commented
1 year ago We should act on this urgently, since we are keeping the minimal-scoped SSO token in the browser in lieu of our own session cookies.
carboxylman
commented
1 year ago Overlaps with https://github.com/ITI/searcch/issues/148
carboxylman
commented
1 year ago @ckouder are you planning to follow the path I mentioned above (https://github.com/ITI/searcch/issues/157#issuecomment-1249920951), or have you found a different strategy?
ckouder
commented
1 year ago I'll follow the path you mentioned. I think it's pretty straightforward
carboxylman
commented
1 year ago Closed by @ckouder in PR #164 .
We need to verify that our markdown renderer approach is XSS-safe, and possibly choose one that can render inline HTML instead of blockquoting. Inline HTML is part of the commonmark standard, after all. For a quick refresher on the risks, see https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it) .