search

kartik-v / yii2-markdown

Advanced Markdown editing and conversion utilities for Yii Framework 2.0
http://demos.krajee.com/markdown
Other
89 stars 41 forks source link

Javascript injection feasible #7

Closed chris68 closed 10 years ago

chris68 commented 10 years ago

If I enter 

Check javascript

<script>
alert("Hi!");
</script>

in the editor and press the preview button I get a 'Hi' box. Not really desirable...

Github handles that correctly (as you can easily test with this bug report)

kartik-v commented 10 years ago

Resolved and closed via commit 9425e14. Thanks for reporting. Injected Scripts/Xss will be removed. To embed a script as text escape the '>' character like this: 

<script\>alert ("Hello")</script\>