workflowy-for-coders icon indicating copy to clipboard operation
workflowy-for-coders copied to clipboard
verified publisher icon medovob

img scr - not working

Open suaw3k opened this issue 13 years ago • 6 comments

Hi,

I try to put

     ![Alt text] (url)

it work but without

     scr="<url>"

so I cant see image in comment section.

suaw3k avatar Nov 23 '12 11:11 suaw3k

Sorry. I don't think image URLs will get past the sanitizer so I'm afraid that image support is not an option at the moment. There might be a safe way to enable this but I'm not sure how at the moment.

Suggestions welcome

medovob avatar Nov 27 '12 09:11 medovob

Actually, the reason this isn't working is because you need to pass a URI policy function to html_sanitize in js/oblong-workflowy.js, e.g.:

$markdown.html(html_sanitize(converter.makeHtml(text), function(uri) {return uri;}));

This should restore support for images and links.

pjeby avatar Feb 10 '13 20:02 pjeby

Thanks @pjeby but I fear I'd need a suitable URI policy function to enable this safely.

Woud this not lead to potential javascipt injection using href="javascript:doSomethingNasty();" ?

medovob avatar Feb 18 '13 21:02 medovob

Well, it does need some URI policy, if you're using content created by others. (If you're exclusively using your own items, the lack of filtering is a feature - you can actually use it to modify Workflowy's UI...)

I suppose you could provide a couple of configuration options: exclude URLs and include URLs (a pair of case-insensitive regexes). If a URL matches the include and doesn't match the exclude, allow it. The default would exclude javascript: and data: URLs, and the default include could permit relative URLs (including scheme-relative), http, https, and ftp. So:

exclude: javascript:|data: include: http:|https:|ftp:|(?![a-z][-+.a-z0-9]*:)

The above should put the okay on all relative URLs (i.e., ones lacking a "scheme:" prefix), and exclude prefixes not otherwise defined. (For exclusion purposes, the URL should be checked in both its encoded and decoded forms, so that you can't bypass validation using %-encoding.)

pjeby avatar Feb 18 '13 22:02 pjeby

ok - sounds good

I think because of the shareable nature of Workflowy, there is always the potential to unwittingly land on a malicious list which is why the sanitizer is there. I like the idea of having this configurable and your defaults sounds sensible.

Just need to find a bit of time to put it together (unless you fancy doing it? :)

medovob avatar Feb 19 '13 21:02 medovob

:+1:

Pickachu avatar Mar 02 '13 14:03 Pickachu