Safe mode is not enough to be really safe

rjeschke / txtmark

Yet another markdown processor for the JVM

Apache License 2.0

449 stars 100 forks source link

Safe mode is not enough to be really safe #22

Closed FroMage closed 9 years ago

FroMage commented 10 years ago

It currently allows users to "escape" the place they are supposed to be at with for example the following HTML template:

<p>
 This contains the text: 
 <div id="user-content">${mdContent}</div>
</p>

One can then create Markdown content such as:

In the box
</div></p>
<p>
 Outside the box, looks like part of the site now 
 <a href="malicious-link">go there to reset your password please</a>
</p>

I need a way to escape every unescaped < character from the input.

rjeschke commented 9 years ago

Added a panicMode, fixed with 00fa65a963e18370569ddc73423511b85e01e0aa

FroMage commented 9 years ago

Thanks! I'll try it out!

FroMage commented 9 years ago

Yes, works, thanks!