Open flyingzebra opened 5 months ago
Following function insufficiently sanitises the input. Directly using the string replace method to perform escaping is notoriously error-prone and therefore hackable.
showdown.helper.unescapeHTMLEntities = function (txt) { 'use strict'; return txt .replace(/"/g, '"') .replace(/</g, '<') .replace(/>/g, '>') .replace(/&/g, '&'); };
DOMPurify looks over engineered, but it does the job of sanitising. Example code: var clean = DOMPurify.sanitize(dirty);
Following function insufficiently sanitises the input. Directly using the string replace method to perform escaping is notoriously error-prone and therefore hackable.
DOMPurify looks over engineered, but it does the job of sanitising. Example code: var clean = DOMPurify.sanitize(dirty);