Notes
I tried a few different approaches with this:
Scrubbing the output before storing it proved to be very difficult. We're storing the content in markdown which makes it hard to differentiate legitimate script elements that will be displayed within code examples vs top level malicious script elements.
But, scrubbing the output before rendering should be enough to mitigate this issue.
Because:
This commit:
Notes I tried a few different approaches with this:
Scrubbing the output before storing it proved to be very difficult. We're storing the content in markdown which makes it hard to differentiate legitimate script elements that will be displayed within code examples vs top level malicious script elements.
But, scrubbing the output before rendering should be enough to mitigate this issue.