Implement XSS prevention measures
stypr opened this issue · 1 comments
stypr commented
Please consider adding XSS countermeasures for this product. It's possible to run an arbitrary JavaScript code.
To reproduce
- go to https://letsmarkdown.com/
- Get the generated URL ( https://letsmarkdown.com/pink-things-6832 )
- Add the following details
<img src=1 onerror="console.log(top.document.body.innerHTML='Unexpected_Page')">- Ask people to access
https://letsmarkdown.com/pink-things-6832
Suggested Fix
Consider disabling HTML feature on src/components/Score.tsx, or use the sanitizer package while HTML is turned on.
LetsMarkdown.com/src/components/Score.tsx
Line 30 in d88c75b
I assume HTML tags are not required for the most of the time.
Reference: https://github.com/markdown-it/markdown-it/blob/master/docs/security.md
Cveinnt commented
Hi @stypr , thanks for pointing this out - really appreciate the effort!
I just pushed an update that fixes this with markdown-it-sanitizer. Let me know if you have any other suggestions security-wise!