stronglink icon indicating copy to clipboard operation
stronglink copied to clipboard

Published 20 hours ago verified publisher icon btrask

Potentially malicious links in Markdown previews are clickable

Open btrask opened this issue 9 years ago • 0 comments

In our preview generator for CommonMark Markdown files, we allow clickable links, including hash: links. That means we don't use cmark's "safe" link checker that prohibits javascript: links, among other protocols.

We should probably maintain our own whitelist.

  • http
  • hash
  • data?
  • ftp
  • NOT file
  • mailto

Let's look at cmark to see what else.

btrask avatar Nov 08 '15 22:11 btrask