fix: escape user input in md2html to prevent XSS in live preview#244
Open
mrunalC27 wants to merge 1 commit into
Open
fix: escape user input in md2html to prevent XSS in live preview#244mrunalC27 wants to merge 1 commit into
mrunalC27 wants to merge 1 commit into
Conversation
✅ Deploy Preview for makeareadme ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Closes #243.
md2html()only escaped content inside fenced code blocks, leaving every other user-entered field (project name, description, features, etc.) unescaped before being inserted into the HTML rendered viadangerouslySetInnerHTMLinPreviewPanel.jsx.This allowed arbitrary HTML/JS typed into any field to execute immediately in the live preview.
Fix
Escape the full markdown input up front with the existing
esc()helper, before any of the markdown-to-HTML transforms run — the same approach already used for code blocks.esc()only touches&,<,>, so it doesn't interfere with any markdown syntax characters (*,#,`,[,],(,),|,-) that the transform pipeline relies on.Testing
<img src=x onerror=alert(1)>now renders as literal visible text instead of executing.&in query params), tables, and fenced code blocks all still render correctlyand are not double-escaped.
npm run buildpasses with no errors.Note
This was previously self-XSS only (no import/share-link feature currently loads another user's data), but is worth fixing regardless
as defense-in-depth before any such feature is added.