search

yorkie-team / codepair

Build your own AI-powered collaborative markdown editor in just 5 minutes
https://codepair.yorkie.dev
Apache License 2.0
49 stars 19 forks source link

Add HTML Embedding Whitelist for Enhanced XSS Security #326

Open devleejb opened 2 months ago

devleejb commented 2 months ago

What would you like to be added: To improve XSS security, we have introduced rehype-sanitize. However, this implementation has restricted the usage of beneficial HTML embedding features, such as StrawPoll and Google Calendar. It is crucial to explore solutions that would allow us to securely utilize this functionality.

The following adjustments to the sanitization schema have been proposed:

[
  rehypeSanitize,
  {
      ...defaultSchema,
      tagNames: [...(defaultSchema.tagNames ?? []), "iframe", "div"],
      attributes: {
          ...defaultSchema.attributes,
          iframe: [
              "src",
              "width",
              "height",
              "frameborder",
              "allow",
              "allowfullscreen",
              "allowtransparency",
              "style",
          ],
          div: ["style"],
      },
      protocols: {
          ...defaultSchema.protocols,
          src: [
              ...(defaultSchema.protocols?.src || []),
              "https://strawpoll.com",
              "https://cdn.strawpoll.com",
          ],
      },
  },
]

With these changes, StrawPoll functionality works, but it is necessary to verify security implications. Additionally, we should consider a scalable structure that allows for the inclusion of other certified sites.

Why is this needed:

Providing a secure and flexible HTML embedding feature will enhance user experience while maintaining safety against XSS attacks. By integrating trusted sources, we can offer richer functionalities without compromising security.

Additional Information: