Sanitize link attribute
laukaichung opened this issue · 2 comments
laukaichung commented
I've found that people can inject xss in the link attribute:
{"ops":[{"attributes":{"link":"javascript:alert(8007)"},"insert":"link"}]}
The browser will execute the javascript when you click the link.
Would you consider removing this sort of injection in the link attribute by escaping these characters?
export function escapeLink(string) {
return string
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/\(/g, "(")
.replace(/\)/g, ")")
.replace(/"/g, """);
};
nozer commented
Will do. thank you for reporting that
nozer commented
Fixed and pushed to tag v0.7.0