Ibit-to
commented
5 years ago Thanks for your PR.
The regex match is already filtering any HTML tags />(https?:\/\/[^<]+)<\/li>/g. I am not sure if there will be any HTML to escape in the links?
Closed diegocr closed 5 years ago
Ibit-to
commented
5 years ago Thanks for your PR.
The regex match is already filtering any HTML tags />(https?:\/\/[^<]+)<\/li>/g. I am not sure if there will be any HTML to escape in the links?
diegocr
commented
5 years ago Yeah, i was being paranoid here... in theory you're right, but you could also prevent double quotes to avoid malformed HTML, which may or may not could turn to be exploitable...
Ibit-to
commented
5 years ago What about filtering the double quotes in the regex />(https?:\/\/[^<"]+)<\/li>/g?
diegocr
commented
5 years ago You could do that, however personally i would opt for a more strict and specific filtering at the time we do concatenate strings, specially those behind a jQuery.html() - and the like - function invocation.
Ibit-to
commented
5 years ago We still need to filter the unrelated links anyway which will be done via JQuery parse HTML so it will be managed in a different way.
I will close this. Please reopen if needed.
</paranoid>