Open termermc opened 4 years ago
you probably want to call this function at the begin of the process
function securityFixes(text) {
return text
.replaceAll("'", '"')
.replaceAll('"', ''')
.replaceAll(';', ';');
}
Semicolon got added in case someone wants to break out of style settings somewhen.
The process function used for sanitizing input does not process
"
and therefore in some cases (especially with custom tags) cause possibly XSS vulnerabilities. For example, if I created a tag that began with<img src="/myimage.png" title="
and then ended with" />
, the user could input" onerror="alert('malicious javascript')" href="
and execute malicious JS. This does not seem to affect any of the default tags provided with XBBCode-Parser, but it's a huge security hole that's not obvious to people creating their own tags. I suggest that"
be escaped to"", along with
'being escaped to
'(in case the developer used
'instead of
"`).Thanks