Open csarven opened 5 years ago
Perhaps use something like https://github.com/cure53/DOMpurify or https://github.com/apostrophecms/sanitize-html
Added DOMPurify ( https://github.com/search?q=repo%3Alinkeddata%2Fdokieli+dompurify&type=commits ) and using it in a few places. It is an improvement. It needs more reviewing and updating. For example, what to do with openResource
case where on one hand we want to be able to open an arbitrary document document for editing and viewing but we also want to sanitize the markup for bad stuff.
Leave this issue open or create new issues based on chaos?
Another question is whether something like DOMPurify should be done at a lower level, in the first callbacks before passing it to other functions?
It needs to be limited to markup languages and possibly also plain text, otherwise it seems to mess up some of the concrete RDF syntaxes.
By default it gets rid of script
, so any document with a data island (<script type="application/ld+json">
) would immediately be lost in that case. Yet another great feature of hidden/grey metadata.. tsk tsk.
Some XSS prevention rules mentioned at https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ( archived: https://web.archive.org/web/20181129114024/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet ) can be implemented. Labeling this issue as bug because we didn't systematically address this. Only in parts.