Currently the MarkdownConverter permits inline HTML. This can be a problem and could allow a malicious user to embed <script></script> tags in their description that will run when loading that user's page. At worst, this opens up a vulnerability for cross-site scripting.
Solution
Configure the MarkdownConverter to escape HTML tags. Add tests.
Problem
Currently the
MarkdownConverterpermits inline HTML. This can be a problem and could allow a malicious user to embed<script></script>tags in theirdescriptionthat will run when loading that user's page. At worst, this opens up a vulnerability for cross-site scripting.Solution
Configure the
MarkdownConverterto escape HTML tags. Add tests.Example