Sanitize link attribute

Question

Sanitize link attribute

laukaichung opened this issue 7 years ago · 2 comments

I've found that people can inject xss in the link attribute:

{"ops":[{"attributes":{"link":"javascript:alert(8007)"},"insert":"link"}]}

The browser will execute the javascript when you click the link.

Would you consider removing this sort of injection in the link attribute by escaping these characters?

export function escapeLink(string) {
    return string
        .replace(/&/g, "&amp;")
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;")
        .replace(/\(/g, "&#40;")
        .replace(/\)/g, "&#41;")
        .replace(/"/g, "&quot;");
};

Answer 1 · 2018-02-23T18:12:41.000Z

Will do. thank you for reporting that

Answer 2 · 2018-02-24T09:04:06.000Z

Fixed and pushed to tag v0.7.0