Closed ColeBennett closed 1 year ago
@aero31aero I'd like to assign you as a reviewer to this pull request, please let me know if you have any suggestions. I feel like this should be merged in as soon as possible since the current live version of the editor can be exploited with XSS attacks and the link-sharing feature amplifies how dangerous it can be.
This is an initial attempt to fix XSS scenarios noted in https://github.com/jbt/markdown-editor/issues/106. If any AllowScriptAccess attributes are found in HTML elements, or if any event handler attributes are set to HTML elements, then the related text will be automatically removed from the CodeMirror textarea. It also alerts the user with a descriptive message on why their added text was filtered out.