kompassi icon indicating copy to clipboard operation
kompassi copied to clipboard

Published 20 hours ago verified publisher icon con2

Use of ParagraphsDangerousHtml on SurveyPage lets the survey owner do XSS

Open japsu opened this issue 1 year ago • 3 comments

There is a valid use case: we may want to put hyperlinks and other markup in the survey description. However, untrusted users will be allowed to create surveys in the future, so we cannot allow un-satanized, arbitrary HTML that might include scripts, CSS and other shenanigans.

Either use Markdown or similar, or introduce satanization for the HTML. Satanized HTML might be preferred as we may want to employ a WYSIWYG editor for the description.

Image

japsu avatar Jan 15 '24 06:01 japsu

WYSIWYG doesn't preclude using Markdown as the underlying format though!

akx avatar Jan 15 '24 06:01 akx

No, it doesn't. I'd prefer a WYSIWYG editor that does not expose non-technical users to Markdown, though. Outline is fine, Obsidian is too Markdowny.

japsu avatar Jan 15 '24 07:01 japsu

I was thinking something like https://quilljs.com/ or https://mdxeditor.dev/ or https://v3.mantine.dev/others/rte/...

akx avatar Jan 15 '24 08:01 akx