> On 13 Oct 2017, at 15:14, Sam Whited <[email protected]> wrote:
>
> On Fri, Oct 13, 2017, at 03:55, Kevin Smith wrote:
>> But I think that it’s fundamentally weird to claim that when
>> implementing markdownish, non-diligent devs won’t just inject HTML, but
>> while implementing XHTML-IM they will.
>
> I agree. However if you send *<script>alert(123)<script;>*
> and someone converts the *'s to <strong> and injects that directly into
> the DOM, you end up with a nicely bolded: "<script>alert(123)</script>"
> and no XSS. That's if we decided to put it in <body> of course, where
> the server would yell at you if you didn't escape the script somehow. We
> could also put it outside of body, which some people seem to want, but I
> haven't thought about the implications of that much yet, I'm more
> focused on the XSF not recommending something that we know causes
> problems and has a long history of security issues.
I'm fairly late to the party here but with my web dev hat on I would feel much
safer sanitising something like a subset of something like commonmark (e.g.
without the HTML) to put in the DOM than trying to sanitise a subset of XHTML.
For a start, with markdown the input content is just text, so you can entity
escape the whole content first (which is relatively straightforward and renders
it benign) and then go through and parse the markdown symbols into known safe
elements without, as far as I can tell, the need to unescape any of the actual
content. This feels far safer to me, and especially much less dangerous in the
event of any errors or failings in the parsing.
--
Ash
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
