nivv
commented
6 years ago @mbeckenbach maybe I'm being stupid, but in this case you can only XSS attack yourself?
Open mbeckenbach opened 6 years ago
nivv
commented
6 years ago @mbeckenbach maybe I'm being stupid, but in this case you can only XSS attack yourself?
jmaxxz
commented
6 years ago @nivv demos are suppose to be representative of how a library should be used in the wild. @mbeckenbach is right that this is an issue. In the wild the markdown being edited/saved is likely visible and editable by multiple users.
TangentFoxy
commented
6 years ago I feel like this is not an issue with SimpleMDE itself. It is designed to be a Markdown editor, which means it is designed to allow embedded HTML. Protecting against a non-trusted user's input is outside of the scope of SimpleMDE.
I think they should attach a warning about this, because there are plenty of naive developers out there, but it's up to the dev to protect against XSS. For example, I am using SimpleMDE both with its sanitization option enabled (and server-side sanitization of course) for untrusted users, and a non-sanitized version on a form only accessible by an admin, so that I can utilize HTML if I need to. A more complex use case could whitelist certain HTML uses and block others.
marekdedic
commented
5 years ago I am not the author, but I found this writeup extremely helpful: https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)
Hi, your preview mode has a major XSS issue.
Add this text in your demo, toggle preview and click the word play.
Go ahead, <div onclick="alert('test')">play</div> around with the editor!