OpenTreeOfLife / phylesystem-api

API access to Open Tree of Life treestore
BSD 2-Clause "Simplified" License
10 stars 5 forks source link

Sanitize markdown (curator notes) with bleach #218

Closed jimallman closed 5 years ago

jimallman commented 5 years ago

This fix prevents malicious scripts from being inserted in our curator notes, which are entered as markdown when editing studies and (iirc) collections. This translation from markdown to HTML is always done using a single server-side function, and always on the fly (HTML output is never stored). Adding the fix here will disable (and reveal) any SCRIPT or other naughty bits in curator notes.

jimallman commented 5 years ago

The new behavior is in place on devapi (and can be easily tested using the webapps on devtree). If you save a string like <script>window.alert("XSS in progress!");</script> in the curator notes on tree (production), you should see a JS alert box when you view the study or even trigger its HTML preview while editing. This is caught and exposed by the fix on devtree/devapi.