Possible XSS injection?
gluntn opened this issue · comments
William commented
Preface: I don't know enough about XSS injection, and I've only used the online demo. Just thought I'd share this.
I tried messing around with the script styling:
Hello there
And by adding a #
before the backticks, a script-tag was generated.
#```<script>alert("1")</script>
hello
\```
(minus the backslash) became
<h1\>```<script\>alert(1)</script></h1>
<p>hello\</p>
<pre><code></code></pre>
Is this the correct behaviour?
Aidan Woods commented
This is expected behaviour by default (since markdown itself permits HTML), however there is safe-mode if you want to accept user-input safely.
William commented
Nice! Okay, that's good! 😁