search

nhn / tui.editor

πŸžπŸ“ Markdown WYSIWYG Editor. GFM Standard + Chart & UML Extensible.
http://ui.toast.com/tui-editor
MIT License
16.91k stars 1.71k forks source link

Add URL validation for image upload by URL input #3222

Open aujourdui opened 5 months ago

aujourdui commented 5 months ago

Version

Write the version that you are currently using. @toast-ui/vue-editor: 3.2.3

Development Environment

Write the browser type, OS and so on. Mas OS Sonoma14.0

Current Behavior

When we add image by URL input, it's fine to add image by URL such as "https" or "http". However, we can add an image by this URL input with data URL format such as data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3oAAAK1CAYAAAAuQ+8vAAABX2lDQ1... γ‚Ήγ‚―γƒͺγƒΌγƒ³γ‚·γƒ§γƒƒγƒˆ 2024-01-24 17 21 17

This is unexpected action but this URL input not covered by addImageBlobHook so it's difficult to validate it.

Expected Behavior

Write a description of the future action.

I propose this URL input validation by "https" and "http" to filter unexpected embedding dataURI. It's not difficult and it's probably more secure.

aujourdui commented 5 months ago

Although I fixed this issue in my local and I tried to push, it occured below error. Do I need to have any permission to push and create a PR for this repository?

Permission to nhn/tui.editor.git denied to aujourdui. fatal: unable to access 'https://github.com/nhn/tui.editor.git/': The requested URL returned error: 403