tasty ~markdown revisited

miguelfreitas / twister-html

twister HTML + Javascript User Interface

MIT License

229 stars 138 forks source link

tasty ~markdown revisited #272

Closed slr closed 9 years ago

slr commented 9 years ago

now we

take first word inside () of [link name](url)
- drop others words silently
trim whitespaces, apostrophes and quotes
check for #, javascript and data in beginning of it
- if match occurs we put I'm busted message in post
- if not then it's OK, link is passed

busted

I do not want to hardcode http[s]:// URI scheme only to allow others like bitcoin: one for example.

now show me what have I missed.

slr commented 9 years ago

ping #270

slr commented 9 years ago

by the way I'm thinking about some optional (activated by default) confirmation modal to open links.

slr commented 9 years ago

oh, I see. there is much more chars too drop before checking for javascript: or data: — https://cure53.de/purify so it's not safe.

slr commented 9 years ago

I suggest to delete that checking and apply https://cure53.de/purify mentioned by @thedod on the word for link target instead.

miguelfreitas commented 9 years ago

we can't simply remove "data:" we use it for avatars. i just want to forbid scripts... if purify kills all "data:" then we wouldn't be able to use it for every url.

slr commented 9 years ago

so. some optimization and polishing was done.

e.g.

link construction was improved
- that terrible regexps are gone
- template nodes for links are cached now

because we have that beautiful CSP rule looks like we don't need to detect and filter injections but detecting, filtering and message I'm busted are retained here to aware people about possible attempts.

algorithm was changed to search : delimiter in url target and check previous 6 chars for matching with script and 4 with data.

here also post formatting turned on for DM snippets.

what do you think?

slr commented 9 years ago

yet another reason why I'm retaining injections filter here is kind of stupid: somebody can disable the CSP in his browser and then forget about it. I don't know. I feel better with it.

slr commented 9 years ago

i'm sorry doing it here but anyway. here is fixes of misc CSP violations to fix options.html page and back buttons on modal windows.

thedod commented 9 years ago

Thanks. I'll merge this locally :wink:. cc #273

miguelfreitas commented 9 years ago

personally, i'd rather avoid all the hassle and just forbid markdown inside link description. it's not such an important feature we will miss.

then it all reverts to the safer "plaintext" only version.