Closed slr closed 9 years ago
ping #270
by the way I'm thinking about some optional (activated by default) confirmation modal to open links.
oh, I see. there is much more chars too drop before checking for javascript:
or data:
— https://cure53.de/purify
so it's not safe.
I suggest to delete that checking and apply https://cure53.de/purify mentioned by @thedod on the word for link target instead.
we can't simply remove "data:" we use it for avatars. i just want to forbid scripts... if purify kills all "data:" then we wouldn't be able to use it for every url.
so. some optimization and polishing was done.
e.g.
because we have that beautiful CSP rule looks like we don't need to detect and filter injections but detecting, filtering and message I'm busted
are retained here to aware people about possible attempts.
:
delimiter in url target and check previous 6 chars for matching with script
and 4 with data
.here also post formatting turned on for DM snippets.
what do you think?
yet another reason why I'm retaining injections filter here is kind of stupid: somebody can disable the CSP in his browser and then forget about it. I don't know. I feel better with it.
i'm sorry doing it here but anyway. here is fixes of misc CSP violations to fix options.html
page and back buttons on modal windows.
Thanks. I'll merge this locally :wink:. cc #273
personally, i'd rather avoid all the hassle and just forbid markdown inside link description. it's not such an important feature we will miss.
then it all reverts to the safer "plaintext" only version.
now we
()
of[link name](url)
#
,javascript
anddata
in beginning of itI'm busted
message in postI do not want to hardcode
http[s]://
URI scheme only to allow others likebitcoin:
one for example.now show me what have I missed.