Awesome-go: Should sanitize Markdown when rendering.

Created on 17 Jan 2017  路  6Comments  路  Source: avelino/awesome-go

See https://github.com/avelino/awesome-go/pull/1127#discussion_r82932502. It still hasn't been done.

You should sanitize the output from blackfriday, just in case someone sneaks a malicious piece of user content and we accidentally merge it.

See https://github.com/russross/blackfriday#sanitize-untrusted-content.

Blackfriday README says:

Sanitize untrusted content

Blackfriday itself does nothing to protect against malicious content. If you are
dealing with user-supplied markdown, we recommend running blackfriday's output
through HTML sanitizer such as
Bluemonday.

Here's an example of simple usage of blackfriday together with bluemonday:

import (
    "github.com/microcosm-cc/bluemonday"
    "github.com/russross/blackfriday"
)

// ...
unsafe := blackfriday.MarkdownCommon(input)
html := bluemonday.UGCPolicy().SanitizeBytes(unsafe)
bug help wanted
Source
picture dmitshur
👍2

All 6 comments

@shurcooL you can send the fix?

avelino picture avelino on 19 Jan 2017

@avelino I've just committed the fix, pushing.

kirillDanshin picture kirillDanshin on 19 Jan 2017

@avelino done

kirillDanshin picture kirillDanshin on 19 Jan 2017

@kirillDanshin the tests now are broken because you missing a dependency

felipeweb picture felipeweb on 19 Jan 2017
👍1

@felipeweb whoops! thanks, accidentally didn't git add it. fixed.

kirillDanshin picture kirillDanshin on 19 Jan 2017

This was resolved by https://github.com/avelino/awesome-go/commit/7cee227b4a92e309127e315afa0b153934f6b6a4?w=1, closing.

Thanks @kirillDanshin.

dmitshur picture dmitshur on 19 Jan 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

avelino picture avelino  路  9Comments
xhit picture xhit  路  6Comments
x0rzkov picture x0rzkov  路  6Comments
ghost picture ghost  路  4Comments
lishuhao picture lishuhao  路  14Comments