-
-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attribution Details : sanitize user input #177
Comments
Thank you for reporting this issue, @matheod , it is very important. Please, go ahead and submit your PR when you are ready! |
@obulat, is this issue still available to work upon? |
Yes, @neeraj-2 , it is. I've tried replicating it, and I see that although Richtext seems to be safe, if HTML code has something like |
Thanks, @obulat for the information. Trying some approach for the same. Will inform you asap. |
@Cronus1007, I am on it. Will give an update soon. |
@neeraj-2 If you require any help let me know. :) |
@zackkrida , we need your input on this issue :) We have a form with two URLs and two text inputs for the Name of the Creator and Work Title. We use these data to create Rich Text and HTML string with attribution. What should we do to improve security on them? From my understanding (after some testing and research) the URLs are sanitized, and even if users input javascript into them, the JS just turns into text and is harmless. Is it really, though? |
I am going to close this issue. From a security perspective, we have a single user entering input and then using the output on their own site. Because they're both the creator and consumer of this input text, I don't think we need to worry about them inputting and then outputting malicious code for use on their own sites. |
Description
Work Author, URL of creator profile, Title of Work and Work URL input are not sanatized.
This bring two theorical security issue :
javascript:
url can be writtenThis bring two real issue :
Additional context
javascript:
is allowed) but not in HTMLResolution
The text was updated successfully, but these errors were encountered: