Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to use dompurify for HTML sanitaze in effecitve way #1441

Open
ys-oo opened this issue Jan 6, 2024 · 3 comments
Open

how to use dompurify for HTML sanitaze in effecitve way #1441

ys-oo opened this issue Jan 6, 2024 · 3 comments

Comments

@ys-oo
Copy link

ys-oo commented Jan 6, 2024
edited
Loading

I'm working on notion alternative using react js and this awesome package , now i didn't succeed on making a dompurify plugin that will sanitize the html before it's rendered on the dom , especially when using markdown comments like [link](google.com) as this is a huge door for xss attack

thank you for making this awesome package , and i do appreciate any help <3
@marijnh
Copy link
Member

marijnh commented Jan 6, 2024

I'm not sure I follow. Are the links or the comments an XSS vector? How?

@ys-oo
Copy link
Author

ys-oo commented Jan 8, 2024

yo

I'm not sure I follow. Are the links or the comments an XSS vector? How?

i appreciate your response , the markdown links could be used to inject xss attack , i did provide an example with google.com link but it could be javascript instead ...

@marijnh
Copy link
Member

marijnh commented Jan 8, 2024

I don't think markdown-it will parse javascript: links. Do you have a working proof-of-concept?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marijnh @ys-oo