Comments (5)
I feel same as you LESARQ. Instead of force escaping the comment, it might be given as an option such as escapeContent: true
with a warning.
from jquery-comments.
The content of the comment is escaped on purpose. If you insert the content into DOM without escaping it, malicious users may inject javascript to the site. For example, if you post a comment
"<script>alert('Hi there!')</script>"
and insert it to DOM straight up, all the users be prompted with "Hi there!".
from jquery-comments.
Yes i thought about that.
But should we stop a feature for such triviality? If so, what's the solution? Should i perform a server-side validation?
from jquery-comments.
The issue is not that trivial you may think, please check out the list of possible vulnerabilities at: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet. There's a good reason why Facebook, Google and even Github won't support pure html comments, if you wish to implement something like this, I recommend using a Markdown approach like it's implemented here in Github
from jquery-comments.
Ok i see.
However, there isn't any possible way to change server-side data. These are client-to-client actions.
I know it's bad anyway, but i'm using it on a intranet portal, no one inside a single company wants to inject some JS in a comment. If he wants to do it, he will suffer some consequences because i use comment history.
In the future i will implement that markdown approach.
Thank you, that's the right solution.
from jquery-comments.
Related Issues (20)
- Problem with duplicate comment ID. HOT 2
- How to use CKeditor HOT 2
- I have tried to install and didn't succeed... HOT 1
- set up database HOT 1
- If the user name contains any regex metacharacters, the ping highlighting does not work. HOT 1
- Publish latest version to npm HOT 1
- Do you have any react integration example ? HOT 1
- Duplication when enableNavigation is false
- mail notification HOT 1
- Limit number of attachments
- Dynamically Click Comments Textbox using Button
- Comments search engine
- Scroll and focus on textbox when clicking on "reply"
- enableEditing model
- Make linkify optional
- hasAttachments function should test if attachments property exists
- I need help how to set up complete on website for a html NOOB HOT 1
- Issue in APEX 22.2.3
- Comment author - "You"
- URGENT: Advanced comment webpart solution stopped working after reaching 5k items
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jquery-comments.