XSS Concern
Closed this issue · 0 comments
kgiszewski commented
Presently, if a book contains javascript a system will run it creating a XSS situation. Ideally I would like to make this possibility less likely than it is now.
Things I've tried:
- Using HtmlAgilityPack to remove script tags
- This sort of works, but blows up all generics documentation
GetPropertyValue<foo>("")
and any literal<
>
- This sort of works, but blows up all generics documentation
- Force entity encoding
- Sort of works, but
code
tags need to be untouched (I think) as it leaves the entities in place
- Sort of works, but
- Remove bad tags just before we render to the
div
- Not yet tried.