Mutation XSS + general sanitization #112
Comments
Closed
|
Version 1.1.2 seems safe |
"Seems safe", two words any web developer should be rightfully terrified of 😱 I think the correct fix for this is to explicitly state in documentation that the library is almost certainly not XSS-safe, most likely never will be, and that it's up to the consumer to properly mitigate XSS by sanitizing the output of See showdown's article on XSS, which they link to from their README, for a great example of how to document this stuff. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are character sequences that would be understood as benign by most sanitisers that when they are passed through anchorme result in javascript execution.
I'll omit examples for obvious reasons, please reach out if you would like to know more.
Add to that based on a small research it is obvious that users of the library do not know that the output of anchore me should not be trusted to be free of potentially malicious javascript.
I think there is an argument to try to do sanitization (or at least make it a default switchable option), because that is how people often use the library and it is possibly beneficial to be safe by default.
That said even if this was not the preferred option the fact that people are often using it in an unsafe way shows that it would be useful to have at least some sort of disclaimer that clarifies the security model of anchorme.
The text was updated successfully, but these errors were encountered: