Set sanitize marked option to true by default?

Ionaru / easy-markdown-editor

EasyMDE: A simple, beautiful, and embeddable JavaScript Markdown editor. Delightful editing for beginners and experts alike. Features built-in autosaving and spell checking.

https://stackblitz.com/edit/easymde

MIT License

2.45k stars 319 forks source link

Set sanitize marked option to true by default? #64

Open roipoussiere opened 5 years ago

roipoussiere commented 5 years ago

Many issues on simple-mde was about an XSS vulnerability, allowing the user to execute JS code in the preview.

While the never trust the user is a common practice in web development, I think that we should avoid this and set the marked sanitize option to true by default.

I don't really find use-cases where injecting JS in a markdown viewer is useful.

Note that of course we can easily set this option with renderingConfig like below, this issue is just about choosing the default behavior.

new EasyMDE({
    element: ...,
    renderingConfig: {
        markedOptions: {
            sanitize: true
        }
    }
});

I'm submitting a...

[x] Bug report
[x] Feature request

(well, not sure here...)

Reproduction steps

Just type this in the text area:

<div onclick="alert('oops!')">Click here, please</div>

Then activate the preview and click on the text.

Version information

Any browser, any version

marco-silva0000 commented 5 years ago

Any updates on this? I think at least a warning should be made on the readme with the settings shown above as a quick fix.

Maybe a section dedicated to security on the readme disclosing what is the default and what are the expectations, like what the marked library does https://github.com/markedjs/marked#usage

more information here https://snyk.io/vuln/SNYK-JS-SIMPLEMDE-72570

Ionaru commented 5 years ago

I don't see how this is an XSS (Cross-site scripting) issue. You can only execute code you input locally, which you can do in the dev console anyway.

Input sent to the server (before arriving at another client) should be checked and sanitized anyway because like you said: client input can never be trusted.

Inline HTML should be possible in markdown, setting sanitize to true will break this.

gseastream commented 4 years ago

Adding my two-cents. This is an XSS issue in the case of collaborative editors. For example, the app I'm writing embeds EasyMDEs in a document generating feature (sending out bodies of rendered-markdown to groups of users), which is fine in terms of sanitizing the markdown in the backend before displaying it statically or emailing it to folks. But an XSS issue arises since the MDE editors can be saved and returned to by anyone on the team, meaning a malicious team member could inject an XSS attack into the markdown, and when their teammate (who might have higher user privileges than them) opens that document and clicks the preview, they're subject to whatever XSS the attacker previously typed into the markdown and saved. For that reason I'm using the DOMPurify package in the sanitizerFunction option. I don't have an opinion on whether it should be the default (besides the fact that the marked library itself recommends using a sanitizer like DOMPurify), but I just wanted to point out what be a common use case like mine.