showdown icon indicating copy to clipboard operation
showdown copied to clipboard

Published 20 hours ago verified publisher icon showdownjs

Incomplete string escaping or encoding

Open flyingzebra opened this issue 8 months ago • 0 comments

Following function insufficiently sanitises the input. Directly using the string replace method to perform escaping is notoriously error-prone and therefore hackable.

showdown.helper.unescapeHTMLEntities = function (txt) {
  'use strict';

  return txt
    .replace(/"/g, '"')
    .replace(/&lt;/g, '<')
    .replace(/&gt;/g, '>')
    .replace(/&amp;/g, '&');
};

DOMPurify looks over engineered, but it does the job of sanitising. Example code: var clean = DOMPurify.sanitize(dirty);

flyingzebra avatar Jun 20 '24 15:06 flyingzebra