Open ys-oo opened 9 months ago
I'm not sure I follow. Are the links or the comments an XSS vector? How?
yo
I'm not sure I follow. Are the links or the comments an XSS vector? How?
i appreciate your response , the markdown links could be used to inject xss attack , i did provide an example with google.com link but it could be javascript instead ...
I don't think markdown-it will parse javascript:
links. Do you have a working proof-of-concept?
I'm working on notion alternative using react js and this awesome package , now i didn't succeed on making a dompurify plugin that will sanitize the html before it's rendered on the dom , especially when using markdown comments like
[link](google.com)
as this is a huge door for xss attackthank you for making this awesome package , and i do appreciate any help <3