angular-markdown-directive icon indicating copy to clipboard operation
angular-markdown-directive copied to clipboard

Published 20 hours ago verified publisher icon btford

Does using angular-sanitize protect against Showdown XSS?

Open canebat opened this issue 9 years ago • 2 comments

Showdown has an XSS bug: https://github.com/showdownjs/showdown/issues/57

Will including angular-sanitize as you have it in the README help prevent this?

canebat avatar Apr 16 '15 02:04 canebat

You can't really prevent XSS attacks in showdown, before the input is fully parsed into HTML, because markdown provides a number of ways to inject a script that are very hard (or close to impossible) to detect my usual means.

So angular-sanitize should be used AFTER the HTML is processed. This prevents most of classic XSS attacks but does not prevent the defacing of your webpage (with images, for instance).

tivie avatar May 28 '15 22:05 tivie

Please note that the issue referenced is not about XSS - I just happened to discover it while writing about XSS. I have clarified this in the other issue's comment thread.

JakobKallin avatar May 29 '15 19:05 JakobKallin