Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does using angular-sanitize protect against Showdown XSS? #34

Open
canebat opened this issue Apr 16, 2015 · 2 comments
Open

Does using angular-sanitize protect against Showdown XSS? #34

canebat opened this issue Apr 16, 2015 · 2 comments

Comments

@canebat
Copy link

canebat commented Apr 16, 2015

Showdown has an XSS bug:
showdownjs/showdown#57

Will including angular-sanitize as you have it in the README help prevent this?
@tivie
Copy link

tivie commented May 28, 2015

You can't really prevent XSS attacks in showdown, before the input is fully parsed into HTML, because markdown provides a number of ways to inject a script that are very hard (or close to impossible) to detect my usual means.

So angular-sanitize should be used AFTER the HTML is processed. This prevents most of classic XSS attacks but does not prevent the defacing of your webpage (with images, for instance).

@JakobKallin
Copy link

Please note that the issue referenced is not about XSS - I just happened to discover it while writing about XSS. I have clarified this in the other issue's comment thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JakobKallin @tivie @canebat