Am 15.07.2017 um 23:54 schrieb tetyys:
one question about the </ encoding:
If a user supplied image URL is passed to the "src" attribute unchecked,
then yes. But this would work regardless of the JSON escape rules and
really needs to be prevented by the application code.
However, I just noticed that this is still possible to exploit in the
Markdown processor. User defined HTML is filtered, but link targets are
passed to the rendered HTML as-is (just HTML encoded).