Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Other: Better HTML sanitization for Markdown content #39

Open
riipah opened this issue Feb 28, 2015 · 0 comments
Open

Other: Better HTML sanitization for Markdown content #39

riipah opened this issue Feb 28, 2015 · 0 comments
Labels
complexity: unknown Unknown days of work feature request priority: low Issues/Tasks that are not so important security Security text Text/Characters display (Markup language: Markdown)

Comments

@riipah
Copy link
Member

riipah commented Feb 28, 2015

By spec, all HTML is allowed by Markdown. Currently we're HTML encoding all text before it is passed to the Markdown parser. This prevents the most obvious XSS attacks, but not all. It'd be better to sanitize the generated HTML with a whitelist of allowed tags. Obviously we can't just HTML encode all of the HTML generated by the Markdown parser (or strip HTML tags), because otherwise using Markdown would be pointless to begin with.

The HtmlSanitizer library could possibly be used for this. There's also the Web Protection Library by Microsoft, but I've heard it's not very good. CsQuery HTML parsing library could also be used.
@riipah riipah added the security Security label Feb 28, 2015
@d-dd d-dd mentioned this issue Mar 19, 2015
Closed
@andreoda andreoda added this to the Any Time milestone Jan 13, 2021
@ycanardeau ycanardeau removed this from the Any Time milestone Apr 17, 2021
@andreoda andreoda added the text Text/Characters display (Markup language: Markdown) label Apr 21, 2023
@andreoda andreoda added the complexity: unknown Unknown days of work label Mar 6, 2024
@andreoda andreoda added the priority: low Issues/Tasks that are not so important label Mar 23, 2024
@andreoda andreoda changed the title Better HTML sanitization for Markdown content Multiple entries: Better HTML sanitization for Markdown content Dec 2, 2024
@andreoda andreoda changed the title Multiple entries: Better HTML sanitization for Markdown content Other: Better HTML sanitization for Markdown content Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
complexity: unknown Unknown days of work feature request priority: low Issues/Tasks that are not so important security Security text Text/Characters display (Markup language: Markdown)
Projects
Ideas, new features, other additions
Status: Requested/Todo
Milestone
No milestone
Development

No branches or pull requests
4 participants
@riipah @Shiroizu @ycanardeau @andreoda