og-image icon indicating copy to clipboard operation
og-image copied to clipboard

Published 20 hours ago verified publisher icon vercel

HTML tags should be escaped

Open deanpcmad opened this issue 3 years ago • 1 comments

I've just found this app and it looks really neat. While playing around with the example I found that any html tags can be added, which can be a security risk.

For example, adding the iframe tag: https://og-image.vercel.app/**Hello**%20World%20%3Ciframe%20src='https:/deanpcmad.com/testfile.html'/%3E.png?fontSize=100px&theme=light&md=1

Renders out an image with an iframe:

test

I'm not sure if this is by design, I just feel html tags should be escaped?

deanpcmad avatar Jan 06 '21 10:01 deanpcmad

Hi @deanpcmad

This is expected when the md=1 option is used since markdown accepts arbitrary html.

You can use md=0 to use literal text instead.

You could also add something like sanitize-html or dompurify if you wanted to narrow down the accepted list of html tags.

styfle avatar Jan 09 '21 21:01 styfle

Closing in favor of https://github.com/vercel/og-image/issues/226

leerob avatar Jan 19 '23 00:01 leerob