Does using angular-sanitize protect against Showdown XSS?

Question

Does using angular-sanitize protect against Showdown XSS?

canebat opened this issue 10 years ago · 2 comments

Showdown has an XSS bug:
showdownjs/showdown#57

Will including angular-sanitize as you have it in the README help prevent this?

Answer 1 · 2015-05-28T22:12:16.000Z

You can't really prevent XSS attacks in showdown, before the input is fully parsed into HTML, because markdown provides a number of ways to inject a script that are very hard (or close to impossible) to detect my usual means.

So angular-sanitize should be used AFTER the HTML is processed. This prevents most of classic XSS attacks but does not prevent the defacing of your webpage (with images, for instance).

Answer 2 · 2015-05-29T19:49:54.000Z

Please note that the issue referenced is not about XSS - I just happened to discover it while writing about XSS. I have clarified this in the other issue's comment thread.