Open vincentjames501 opened 1 year ago
Example markdown:
[click me](javascript:window.onerror=alert;throw%20document.URL)
Markdown clj will render:
Maybe we force folks to specify specific protocols they want to support and validate the urls? We just discovered this and haven't done much analysis at this point.
This is what other popular Java markdown tools do:
https://github.com/commonmark/commonmark-java/blob/main/commonmark/src/main/java/org/commonmark/renderer/html/DefaultUrlSanitizer.java
Note, this doesn't affect other online editors either:
https://dillinger.io/ https://stackedit.io/app# https://jbt.github.io/markdown-editor/
Yeah, that looks like it would need additional sanitizing to be done. Any chance you'd have a chance to take a look at adding escaping for this?
Example markdown:
Markdown clj will render:
Maybe we force folks to specify specific protocols they want to support and validate the urls? We just discovered this and haven't done much analysis at this point.
This is what other popular Java markdown tools do:
https://github.com/commonmark/commonmark-java/blob/main/commonmark/src/main/java/org/commonmark/renderer/html/DefaultUrlSanitizer.java
Note, this doesn't affect other online editors either:
https://dillinger.io/ https://stackedit.io/app# https://jbt.github.io/markdown-editor/