Closed vishalxl closed 1 year ago
monlovesmango
commented
1 year ago yes bc I think allowing this opens you up to xss attacks in javascript runtime env. so its really a feature not a bug.
do you have any documentation on why it is safe to display this? everything I found seemed to say its not safe.
vishalxl
commented
1 year ago Making sure that the string is not an attack is of primary importance. I am just highlighting that after that has been done, and maybe the characters are removed/modified/escaped if needed, then the content should get displayed.
I take it there would be way to escape the character if nothing else works, or just remove it if needed, to make it less dangerous.
Worse case scenario: a removed <> characters would be better than nothing imo.
Its not a high priority thing, and doubt gets used a lot, but I recently got into it thats why I raised this.
monlovesmango
commented
1 year ago yeah I am just using a library to sanitize the content and I don't have the experience to roll my own sanitization. sorry but I don't think there is anything else to do here. unless you have other suggestions I am going to close.
Since the text is supposed to be plain text ( except for mentions etc), such deletion or processing should not ideally be done.
Same kind of behavior is seen in nostr.io just for the record. and I guess many other web clients.