-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mutation XSS + general sanitization #112
Comments
Version 1.1.2 seems safe |
"Seems safe", two words any web developer should be rightfully terrified of 😱 I think the correct fix for this is to explicitly state in documentation that the library is almost certainly not XSS-safe, most likely never will be, and that it's up to the consumer to properly mitigate XSS by sanitizing the output of See showdown's article on XSS, which they link to from their README, for a great example of how to document this stuff. |
There are character sequences that would be understood as benign by most sanitisers that when they are passed through anchorme result in javascript execution.
I'll omit examples for obvious reasons, please reach out if you would like to know more.
Add to that based on a small research it is obvious that users of the library do not know that the output of anchore me should not be trusted to be free of potentially malicious javascript.
I think there is an argument to try to do sanitization (or at least make it a default switchable option), because that is how people often use the library and it is possibly beneficial to be safe by default.
That said even if this was not the preferred option the fact that people are often using it in an unsafe way shows that it would be useful to have at least some sort of disclaimer that clarifies the security model of anchorme.
The text was updated successfully, but these errors were encountered: