remarkable icon indicating copy to clipboard operation
remarkable copied to clipboard

Published 20 hours ago verified publisher icon jonschlinkert

Mitigating xss

Open mscreenie opened this issue 8 years ago • 1 comments

I'm allowing markdown input from public. I want to know if remarkable will sanitize or prevent users from performing xss against my site.

Also while on this topic does this project have a whitelist to only allow for headings bold etc and prevent data urls or urls in general?

Thanks.

mscreenie avatar Oct 14 '16 12:10 mscreenie

It will do some basic filtering, but not fully. You'll still want to limit the type of data URIs which are accepted like the following markdown:

[this works](data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4K)

Note: PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4K is just <script>alert("Hello");</script> base64 encoded.

Which will turn into: <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4K">this works</a>

breadtk avatar Aug 29 '17 22:08 breadtk