NppMarkdownPanel icon indicating copy to clipboard operation
NppMarkdownPanel copied to clipboard

Published 20 hours ago verified publisher icon mohzy83

bug report - XSS

Open guillaC opened this issue 4 years ago • 1 comments

you should use a richtextbox rather than a webviewer more information about XSS: https://en.wikipedia.org/wiki/Cross-site_scripting

payload: ![a](javascript:alert("hey"))

screenshot: image

guillaC avatar Sep 15 '20 16:09 guillaC

The idea is to use a real html-renderer with full css/font support. The most .NET HTML-rendering engines are very limited in terms of styling. You can try the plugin MarkdownViewer++ https://github.com/nea/MarkdownViewerPlusPlus , which is using some kind richtext component to render the HTML. I think for the MarkdownPanel the best approch is to add an option to enable a HTML-Sanitizer https://github.com/mganss/HtmlSanitizer before the HTML is send to the browser.

mohzy83 avatar Oct 16 '20 09:10 mohzy83