search

instance-oom / ngx-markdown-editor

Angular markdown editor based on ace editor
http://lon-yang.github.io/markdown-editor/
Apache License 2.0
174 stars 48 forks source link

Cross site scripting bug #110

Closed TiagoJacobs closed 2 years ago

TiagoJacobs commented 2 years ago

Hello, would it be possible to disable HTML in this editor?

If you input an HTML <img with this code, the code is executed, making it unsafe:

# This is a markdown
## That supports HTML
### And it makes things unsafe 
<img onerror="alert('This is a injected script')" src="hacked"/>
instance-oom commented 2 years ago

Please refer to https://github.com/lon-yang/ngx-markdown-editor/issues/93

TiagoJacobs commented 2 years ago

Helllo, thank. you very much... However I don't believe in "sanitizing".

I would prefer that we can completely disable HTML.

Something that would:

1 - process the "htmlentities" - replace all < by &lt;, > by &gt;, ... 2 - process markdown

This way we ensure no HTML tag is processed.

Is this possible?

instance-oom commented 2 years ago

image

In the preRender function, you can replace the content that you want to

https://github.com/lon-yang/ngx-markdown-editor#options