Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unsafeHTML #61

Open
nemi-notrace opened this issue Feb 4, 2023 · 1 comment
Open

unsafeHTML #61

nemi-notrace opened this issue Feb 4, 2023 · 1 comment

Comments

@nemi-notrace
Copy link
Contributor

this is .. unsafe ;) we likely need to check the HTML there. or only allow strings not html. we cannot inject any HTML coming from the repco node into the DOM, this opens it up to XSS etc vulnerabilities.

this is a bit of a bigger issue that we'll have to address in repco. for now, we should either sanitze the HTML here or convert it to string only (remove all html tags).

Originally posted by @Frando in #60 (comment)
@nemi-notrace
Copy link
Contributor Author

I will fix this by using the HTML Sanitizer API for now.

However, I don't think this is a good and permanent solution on the one hand because we already need it for the frontend and I also think that a repco node should guarantee secure content or the clients. This also goes further that we need better validation on the import itself. For the HTML problem I would suggest we do the sanatizing on the import from the datasource. If the original content is needed in a special case, you have to fish it out of the SourceRecord, which we also store, in a more complicated way.

@nemi-notrace nemi-notrace mentioned this issue Feb 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nemi-notrace