rub1e
commented
5 years ago https://weblog.west-wind.com/posts/2018/Aug/31/Markdown-and-Cross-Site-Scripting#script-and-xss
Example of how this can affect you
Open rub1e opened 5 years ago
rub1e
commented
5 years ago https://weblog.west-wind.com/posts/2018/Aug/31/Markdown-and-Cross-Site-Scripting#script-and-xss
Example of how this can affect you
Is there a reason you've put your entire
bodyin{{{triple braces}}}?This makes you vulnerable to XSS: '{{double braces}}' escape HTML with a
SafeStringfunction - triple braces just render whatever they're given, hence vulnerability.I actually use one single triple brace expression in my entire app, but that's just out of laziness, and it's only for rendering a single icon - so I control what goes in there.
BUT when you start using APIs, or even seemingly safe frameworks, you're dealing with code you don't control, so it's worth only using the triple braces when it's absolutely necessary
I don't actually know what the impact of having the entire body rendered like this, but it's definitely not a good idea if you can help it.
See this answer for more detail