Safe mode is not enough to be really safe

Question

Safe mode is not enough to be really safe

FroMage opened this issue 11 years ago · 3 comments

It currently allows users to "escape" the place they are supposed to be at with for example the following HTML template:

<p>
 This contains the text: 
 <div id="user-content">${mdContent}</div>
</p>

One can then create Markdown content such as:

In the box
</div></p>
<p>
 Outside the box, looks like part of the site now 
 <a href="malicious-link">go there to reset your password please</a>
</p>

I need a way to escape every unescaped < character from the input.

Answer 1 · 2015-03-18T11:11:47.000Z

Added a panicMode, fixed with 00fa65a

Answer 2 · 2015-03-18T14:12:17.000Z

Thanks! I'll try it out!

Answer 3 · 2015-10-27T14:59:56.000Z

Yes, works, thanks!