XSS Vulnerability #65
Comments
|
@jhelou96 thanks for reporting this, i'll look into it. |
Follow upI made a PR to use Angular Marked built-in sanitizerRight now, there is an option when configuring the TL;DRYou can sanitize the markdown by setting the MarkdownModule.forRoot({
provide: MarkedOptions,
useValue: {
gfm: true,
tables: true,
breaks: false,
pedantic: false,
sanitize: true, // enable marked built-in html sanitizer
smartLists: true,
smartypants: false,
},
}),You can report to the documentation for |
|
@jfcere is this closed or I yet have to sanitize my previous version v1.6? I saw this:
|
|
It is closed because you can already sanitize by setting property This feature is available since v1.5.0. |
|
Ok cool. Thanks. Sorry for replying late. In what kind of cases do script tags or any javascript gets applied other than the link javascripts? Hopefully none right? Just making sure. |
|
I am not an expert on that matter but I know Javascript can be injected into different html elements such as I would suggest you to read the following article: https://www.acunetix.com/websitesecurity/cross-site-scripting/ ... it's really interesting if you are not familiar with XSS vulnerability and it shows a couple of examples. |
|
ok. neither me. i will sanitise. :-) |
|
@jfcere You should let them know about the sanitize flag here as they've issued a security advisory: |
Same here, got the security warning on this package. |
|
@learnwell, @KingDarBoja thx for getting this to my attention. I sent a support request to NPM to revoke the security advisory as As if it wasn't enough, the consumer has also the flexibility to provide his own sanitize function with MarkdownModule.forRoot({
provide: MarkedOptions,
useValue: {
gfm: true,
tables: true,
breaks: false,
pedantic: false,
sanitize: true, // will use Angular DOM sanitizer
smartLists: true,
smartypants: false,
},
}), |
|
I've communicated with NPM Security Team and after providing mitigation steps they removed the vulnerability report. They are suggesting me to add a warning to the A second option would be to switch the Action will be taken soon about the documentation and I'll think about the default value of |
|
For what it's worth, my vote would be to turn |
|
I also agree.
The sanitization should be enabled by default, as people should only
disable sanitization if they specifically need to do so and not the orher
way around.
El mié., 28 de agosto de 2019 9:40 p. m., Patrick Shields <
[email protected]> escribió:
… For what it's worth, my vote would be to turn sanitize on by default in
the next major version release. As a consumer of this library, I'd rather
Markdown-formatted content in my applications be sanitized by default. As I
see it, the risks from accidentally failing to turn sanitization on
outweigh the inconvenience of having to manually disable sanitization in
cases where it truly is not needed.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#65?email_source=notifications&email_token=AHY4YWM4EVFDNSQFHWFFAD3QG4ZILA5CNFSM4E7R6FD2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5NBI2A#issuecomment-525997160>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHY4YWIV2MOCGJPKERRNMX3QG4ZILANCNFSM4E7R6FDQ>
.
|
|
Thanks for your feedback gentlemen!
|
Awesome, glad to help you with these stuff 🍰 |
|
|
@jfcere Even after reading through most of the Can I, with |
|
Hi @Helveg,
The short answer is yes. By default the library uses Angular DOM sanitizer with the strictest level available. So you are as much safe as Angular can be. |
Hey,
someone pointed out an issue in another Angular markdown library about XSS vulnerability and it seems that this library presents the same issue as well.
Links are not being validated and as such, the following code could be used to execute javascript code:
[Click Me](javascript:alert('Injected!'%29)The text was updated successfully, but these errors were encountered: