[Warning] Attack XSS

[ngthtung]

Please consider use sanitize article.content. XSS attacks are possible in here

https://github.com/webuild-community/federated-blog/blob/eaacb8721aea5b4bd527eff3353c5e889fcb77a7/pages/read.tsx#L56

[monodyle]

I've warning this problem yesterday. the content should sanitizer before pass it into this property.

This example will execute the script when content already loaded:

<img src="nonexistent.png" onerror="alert(1);" />

Live preview: https://stackblitz.com/edit/react-itrybw?file=src/App.js

Some recommend sanitizer:

• https://www.npmjs.com/package/xss-filters
• https://jsxss.com/en/index.html
• https://github.com/cure53/DOMPurify

[huyng12]

Mozilla suggested using DOMPurify and CSP to avoid script injection.

https://github.com/mozilla/readability#security

If you're going to use Readability with untrusted input (whether in HTML or DOM form), we strongly recommend you use a sanitizer library like DOMPurify to avoid script injection when you use the output of Readability. We would also recommend using CSP to add further defense-in-depth restrictions to what you allow the resulting content to do.