Javascript Injection
sbordes opened this issue · 1 comments
sbordes commented
It's possible to inject malicious javascript code into markdown text.
You should avoid the possibility to use script tag and all event attributes (onXXXX)
<script language="javascript">
function yes(){
document.location.href="http://www.mysite.com";
}
</script>
<div onmouseover="yes()">
Bla Bla
</div>