Message6320
Hi rouilj:
>I wonder if this could be used for some form of attack using html/iframe
>or possibly letting a <script> tag skip through. The latter would be
>really bad as without the correct restrictions in place it would be
>executed.
>
>I think using local_replace to change < into < and > into >
>before passing the resulting text to local_markdown will shortcut this
>attack, but I am not positive.
Roundup passes the HTML to local_replace with the replacements ('< into
<', '> into >', etc). So html/iframe and <script> tags are no
problems.
The link label ('[a safe side](http://a_bad_side.com)') doesn't work
either, because Roundup replaces the link with '<a
href="http://a_bad_side.com">http://a_bad_side.co</a>' and commonmark
doesn't recognize the link anymore.
The e-mail links work without restrictions.
>Also have you considered implementing a document preview mode to allow
>web entry of commonmark to be tested before it is committed?
Unfortunately I don't know Roundup so well yet and therefore I can't
estimate how complex the implementation is. So I'm not sure I'll
implement it. |
|
| Date |
User |
Action |
Args |
| 2019-01-17 14:39:49 | mschieder | set | messageid: <1547735989.25.0.0122384378891.issue2550856@roundup.psfhosted.org> |
| 2019-01-17 14:39:49 | mschieder | set | recipients:
+ mschieder, ber, rouilj, ThomasAH, ncoghlan |
| 2019-01-17 14:39:49 | mschieder | link | issue2550856 messages |
| 2019-01-17 14:39:49 | mschieder | create | |
|