ng-showdown icon indicating copy to clipboard operation
ng-showdown copied to clipboard
verified publisher icon showdownjs

Sanitize option not in docs

Open klummy opened this issue 8 years ago • 3 comments

Hello,

I am not sure if this is a ng-showdown issue or Showdown issue but how to enable sanitization is missing from the docs. I had to look at multiple issues and the code itself to realise this.

Here is the option: $showdownProvider.setOption('sanitize', true)

klummy avatar Jun 21 '17 10:06 klummy

I'd argue sanitize should default to enabled, as best practice to to have secure defaults.

rjmackay avatar Dec 18 '17 00:12 rjmackay

Enabling "Sanitize" is kind of a "false sense of security" measure since, by itself, it does not protect against XSS attacks.

In order for it to be really secure you should follow extra steps. So enabling it by default could give the user a false sense of security. Also, it can break some legit use cases (where the user doesn't want any input to be sanitized).

Although I'm not against turning it on by default, there are legit concerns that the user might think showdown is XSS safe when it is not.

See https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it) for more info.

tivie avatar Dec 18 '17 00:12 tivie

by itself, it does not protect against XSS attacks?

Could you please expand on why is this te case ?

Reading the link you pasted, it seems to me that applying ngSanitize to the output of showdown should be enough to prevent XSS, but it looks like I may be missing something.

mtrias avatar Apr 17 '18 20:04 mtrias