Open kizu opened 10 months ago
Example: https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fpotential-xss--kizu-blog.netlify.app%2Fweekly-bookmarks-002%2F — results in an XSS, as the source had an escaped HTML inside <code> elements, but then the value gets the unescaped content (which seems to be expected).
<code>
value
I noticed this when testing the parsing of microformats for my blog as a part of IndieWebCamp — https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fblog.kizu.dev%2Fweekly-bookmarks-002%2F — and noticing the broken output:
Example: https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fpotential-xss--kizu-blog.netlify.app%2Fweekly-bookmarks-002%2F — results in an XSS, as the source had an escaped HTML inside
<code>elements, but then thevaluegets the unescaped content (which seems to be expected).I noticed this when testing the parsing of microformats for my blog as a part of IndieWebCamp — https://indiewebify.me/validate-h-entry/?url=https%3A%2F%2Fblog.kizu.dev%2Fweekly-bookmarks-002%2F — and noticing the broken output: