taeng0204
commented
2 months ago @devleejb
I looked at a few options and realized that we were using rehypePlugins in our existing code.
I think rehypeSanitize would be a simple and quick fix.
https://github.com/rehypejs/rehype-sanitize
When I tested with it, the XSS case in question didn't work.
devleejb
What would you like to be added The Preview component is using
dangerouslySetInnerHTML={{ __html: html }}, which makes it possible to inject specific html directly into the CodePair. This is vulnerable to hacking attacks such as XSS and needs to be fixed.Why is this needed The Preview component uses MarkdownPreview, and it would be good to look for options to prevent XSS in that library. Also, it seems like a good idea to limit the HTML tags that can be used in CodePair. In the past, I've made sure that only certain custom-designed tags were available.
Additional Information With @devleejb 's permission, I tried to trigger XSS in CodePair. I succeeded in fetching and executing html from an external server using the Iframe tag. I've attached a link to a simple example below. https://codepair.yorkie.dev/ggam._.2/66c96b49e535e3f72191c42a/share?token=ki0ce Although this example is simple, I believe that CodePair can be used for phishing due to the fact that anyone can access it through the link.