Comments (5)
Would you mind submitting this as a pull request? I think the key and value should be HTML sanitized.
from gollum-lib.
OK, I submitted a pull request.
I did not add the HTML sanitization because I feel that it should be the user of the metadata that decides whether it needs to be sanitized rather than the parser of the metadata. I don't know all the possible use cases for metadata, so maybe it's only meant to be a way of setting bits of the generated HTML in which case always HTML sanitizing the metadata would be OK. OTOH, perhaps the page metadata could be used as a way to specify metadata (either to-be-embedded metadata like "keywords" or formatting metadata like page size/orientation) for a PDF or ePub file generated from a Gollum wiki, in which case one might want "PDF sanitization" instead (if there even is such a thing).
FWIW, setting the page title in Gollum with:
<!-- --- title: My Malicious Title </title><script>alert('hi!');</script> -->
does not result in an alert box being displayed. Instead, the title is displayed as:
My Malicious Title </title><script>alert('hi!');</script>
so it is already being at least HTML-escaped.
from gollum-lib.
Smeagol utilizes the metadata to set a custom layout template. FYI, Smeagol is a tool to serve up a Gollum wiki as a customized read-only website. Thus it allows Gollum to be used as a sort-of light-weight CMS system. So I definitely would like to see this feature return.
I think there is no problem with going ahead with the sanitizing. This was discussed before and I couldn't find any potential example where sanitizing would actually be a problem. Better to error on the side of caution now, and return to the question later if it presents any real issue.
Also note it would be pretty easy to support multi-line entries --just delay adding the entry until the next line has no indention relative to the previous entry's.
from gollum-lib.
Fixed in #30
from gollum-lib.
Ah, awesome. Thanks!
from gollum-lib.
Related Issues (20)
- sanitize lib needs update (CVE-2018-3740) HOT 4
- Recent versions of sanitize break jruby HOT 1
- Depends on an old version of sanitize HOT 14
- Make file search case insensitive HOT 1
- 5.x: TOC doesn't show up in subpages HOT 2
- Set commit date on committing changes HOT 12
- Gollum should register ".adoc" as a valid file extension for AsciiDoc
- Series macro can't be used in subpages
- pandoc-citeproc no longer supported HOT 2
- Improve Navigation or TOC.
- Make dependency on twitter optional HOT 1
- markups @master still referring to python2 for rst support HOT 2
- Possible to append to default filter chain? HOT 5
- More efficient sanitization
- Customization (like sorting and filtering) of the navigation or TOC macros? HOT 1
- Default CommonMarker options?
- Advanced search HOT 5
- Add page categorization (or concept tagging) feature HOT 8
- Macro filter turned boolean arguments into string HOT 2
- Rethink logic for Macro sanitization HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gollum-lib.