Open pranavstark opened 5 years ago
you should be setting your marked parse options to sanitize
Hi @dantrevino I did not find any configuration to set it equal to sanitize. Please let me know how to mark parse options to sanitize ?. I am looking here for configuration https://github.com/sparksuite/simplemde-markdown-editor#configuration
Until this is fixed, you can enable the sanitize
marked option.
You can do this in the last version, which is not in Master branch, so you need to build simplemde files from sources:
git clone https://github.com/sparksuite/simplemde-markdown-editor.git
cd simplemde-markdown-editor
npm install --save-dev
gulp
Note that as I write this text, the current gulpfile doesn't support gulp4. If my pull request to fix this is not merged as the time you read this, you must edit the gulpfile too (just see the PR diff).
Then, copy simplemde-markdown-editor/dist/simplemde.min.css and simplemde-markdown-editor/dist/simplemde.min.js to your project.
Finally, set sanitize
rule to true:
var simplemde = new SimpleMDE(
{
renderingConfig: {
markedOptions: {
sanitize: true
}
},
element: $('#articleContent')[0]
});
XSS Vulerability detected: I tried using Inject an XSS query in simple MDE, By creating a link as following.
[XSS](javascript:alert%28sessionStorage.clear%28%29%29)
and it works as following: This converted into a link, that clears users sessionStorage in this example while clicking