jbt / markdown-editor

Live (Github-flavored) Markdown Editor
http://jbt.github.com/markdown-editor
ISC License
2.84k stars 645 forks source link

Fix XSS Vulnerability #110

Closed ColeBennett closed 1 year ago

ColeBennett commented 5 years ago

This is an initial attempt to fix XSS scenarios noted in https://github.com/jbt/markdown-editor/issues/106. If any AllowScriptAccess attributes are found in HTML elements, or if any event handler attributes are set to HTML elements, then the related text will be automatically removed from the CodeMirror textarea. It also alerts the user with a descriptive message on why their added text was filtered out.

ColeBennett commented 5 years ago

@aero31aero I'd like to assign you as a reviewer to this pull request, please let me know if you have any suggestions. I feel like this should be merged in as soon as possible since the current live version of the editor can be exploited with XSS attacks and the link-sharing feature amplifies how dangerous it can be.