Brett on 06 Feb, 2018 06:47 PM
So do you have any suggestions on how to prevent this vulnerability?
Marked requires network requests to work with hosted resources, so
blocking outgoing requests isn't an option. I used to strip script tags
from documents automatically, but that stops people from loading their
own libraries like Mermaid and other tools. I'd be open to suggestions.
Brett on 06 Feb, 2018 08:31 PM
I don't think CSP is feasible in this case. But just removing/limiting
the preview function might be fair, I'm not sure many use that anyway.
What if when using the /preview handler, Marked stripped all scripts
from the input? I'd list it as a security feature, and I don't think
that in the use case for that query handler the functionality would be