Comments (3)
Hi,
- Unfortunately no. I want to avoid XSS. But in the future release, I may add MarkDown???
- I think you are correct. To fix the problem:
Remove the following line:
Kemana-Directory/admin/listing_process.php
Line 189 in 25359e4
And replace the following line:
Kemana-Directory/admin/listing_process.php
Line 239 in 25359e4
To this line:
Kemana-Directory/admin/listing_process.php
Line 238 in 1f3050f
from kemana-directory.
Thank you! I believe it fix the bug.
About HTML. Well people are used to know simple html tags like <b <img
some formatting tags like color, size.
Of course it would be amazing to have description editor something like in reddit or here. (Allowed most important tags, and formating even from copy/paste text)
To prevent XSS maybe we could just ignore other tags except our "whitelisted"?
and/or just replace <script> to <script<
everywhere in user input? I don't know much about XSS so i could be wrong.
PS. Why BB code is disabled and what made you to decide it (just curious) ?
from kemana-directory.
Hi,
Unfortunately, preventing XSS is not that easy, eg, you can still do XSS by using:
<a href="javascript:alert(1)">
<div onclick="alert(1)">
<img src="javascript:alert(1)">
(doesn't actually work anymore in modern browsers)<div style="background-image: url(javascript:alert(1))">
(doesn't work anymore)
Source: https://stackoverflow.com/questions/53427381/is-using-jquery-parsehtml-to-remove-script-tags-enough-to-prevent-xss-attacks
So, I think it's easier 😜 to remove the HTML support all together, except for backend.
About BBCode. I removed it because my implementation of BBCode was flawed.
In the future, I may re-add BBCode or MarkDown, or simply use plain text....?
from kemana-directory.
Related Issues (2)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kemana-directory.