[QUESTION] Is this secure?

Sub6Resources / flutter_html

A Flutter widget for rendering static html as Flutter widgets (Will render over 80 different html tags!)

https://pub.dev/packages/flutter_html

MIT License

1.8k stars 874 forks source link

[QUESTION] Is this secure? #1282

Closed cosmotek closed 1 year ago

cosmotek commented 1 year ago

I thought this package might be a neat way to allow users of a social media app to customize their own profile pages. I realize that allowing untrusted code is inherently insecure, but I wonder if this package may be useful for building an HTML sandbox of sorts. Are there any security implications I should be aware of?

Sub6Resources commented 1 year ago

The package doesn't allow any sort of JavaScript to run. Iframes (which could allow JavaScript to run on the embedded webpage) are not enabled by default.

The only potential risk I could foresee are performance issues if users provide extremely long HTML snippets. This might cause the app to hang as it tries to render a huge widget tree. This could be mitigated by limiting the length of the html a user is allowed to submit.