miguelfreitas / twister-html

twister HTML + Javascript User Interface

MIT License

229 stars 138 forks source link

xss in new markup #270

Open majestrate opened 9 years ago

majestrate commented 9 years ago

links aren't properly escaped in markup

# consider the following post
[link](#" onclick="window.location.reload" target=")

thedod commented 9 years ago

@slr, I think this is a wake up call. We should use something like showdown or some other known and tested library because parsers are where the script kiddies nest, and best is to use something with a large user base that "has seen it all" already. Whatever it is (not necessarily markdown) should enable plugins. I'm sure they're better documented :wink:

thedod commented 9 years ago

Thanks for quick patch (#271), but not sure it covers everything discussed here (not that I actually checked :wink:)

majestrate commented 9 years ago

+1 on the idea of using a 3rd party markdown library

slr commented 9 years ago

271 turns off block of code handling pasting of that kind of links. it is surely enough for now. 4.07 AM, it's pretty late here to fix it without making new bugs so I'm going to bed.

thanks for alarming.