ricardian-spec
ricardian-spec copied to clipboard
EOSIO
Specification defining valid Ricardian contracts
Welcome to [Mend for GitHub.com](https://github.com/apps/mend-for-github-com) (formerly WhiteSource). This is an onboarding PR to help you understand and configure settings before Mend starts scanning your repository for security vulnerabilities. :vertical_traffic_light: Mend...
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot] avatar"){kind=avatar}
The current spec includes YAML, CommonMark and Handlebars. All of which have large attack surfaces making it very difficult for implementers to create a secure parser and renderer. Considering that...
I think a hard requirement on the maximum length of the summary is too restrictive. It may be fine if the summary was not allowed to have Handlebar expressions, but...
Images are known to be vulnerable - PNGs - [source](https://securelist.com/png-embedded-malicious-payload-hidden-in-a-png-file/74297/) - [source](https://www.theregister.co.uk/2019/02/07/android_january_patches/) - SVGs - [source](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/svg-files-are-not-as-benign-as-it-may-seem/) - [source](https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf) - JPG - [source](https://www.f-secure.com/v-descs/exploit_w32_jpg_vulnerability.shtml) - [source](https://security.stackexchange.com/questions/97856/can-simply-decompressing-a-jpeg-image-trigger-an-exploit) - Generic - [source](https://herolab.usd.de/how-to-exploit-a-vulnerable-picture-upload-using-manipulated-pictures/) - [source](https://www.owasp.org/index.php/Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009))...
Even with the best sanitizers in the world allowing un-escaped HTML will become an attack vector. Sanitizers are consistently broken and for wallets it would require that the sanitizer's version...