jhuenges
commented
8 years ago What risks would you suspect?
Closed Pushplaybang closed 8 years ago
jhuenges
commented
8 years ago What risks would you suspect?
Pushplaybang
commented
8 years ago Other than the obvious, placing a misleading link, or image into the markdown, is the input sanitized at all? Is this opening up the possibility for XSS? or has that been considered?
Is there anything I, or others, should do additionally (specific to using this package) when using this in an application to protect ourselves and our users?
perak
commented
8 years ago @Pushplaybang user can insert anything into markdown, html content including links - markdown is not filtered at all. You can do it before storing data into database (for example, replacing <script> & </script> tags with something else or similar).
perak
commented
8 years ago (or, maybe easiest way it to replace < with < and > with >)
Pushplaybang
commented
8 years ago ok thanks, I've changed to using chuangbo:marked as it seems to have a few more options and buit in sanitization.
thanks.
are there any inherent security risks with this plugin?