Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially malicious links in Markdown previews are clickable #99

Open
btrask opened this issue Nov 8, 2015 · 0 comments
Open

Potentially malicious links in Markdown previews are clickable #99

btrask opened this issue Nov 8, 2015 · 0 comments
Labels
security

Comments

@btrask
Copy link
Owner

btrask commented Nov 8, 2015

In our preview generator for CommonMark Markdown files, we allow clickable links, including hash: links. That means we don't use cmark's "safe" link checker that prohibits javascript: links, among other protocols.

We should probably maintain our own whitelist.

  • http
  • hash
  • data?
  • ftp
  • NOT file
  • mailto

Let's look at cmark to see what else.
@btrask btrask added the security label Nov 8, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@btrask