You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After conducting a security vulnerability analysis on the package, I noticed two opportunities for security vulnerabilities to make its way into applications when this package is being utilized. The first is the fact that sanitizing the input is optional with the 'sanitizeHtml' prop only seeming to work properly on rare cases. Since this is not a default behavior, even just a bare bones, simple sanitization, it can lead way to cross-site scripting. Furthermore, there is no way to check if the sanitizeHtml prop is in fact a sound function for sanitization and not a type of malicious function being passed in. While we do not want to restrict the user and also it would defeat the purpose of the translation. At least sanitizing the initial markdown input so if any HTML is inputted in it, it should not make way into the produced HTML, as only plain markdown text should. This would adhere to the intentional functionality of the package while making it safer to use.
The text was updated successfully, but these errors were encountered:
After conducting a security vulnerability analysis on the package, I noticed two opportunities for security vulnerabilities to make its way into applications when this package is being utilized. The first is the fact that sanitizing the input is optional with the 'sanitizeHtml' prop only seeming to work properly on rare cases. Since this is not a default behavior, even just a bare bones, simple sanitization, it can lead way to cross-site scripting. Furthermore, there is no way to check if the sanitizeHtml prop is in fact a sound function for sanitization and not a type of malicious function being passed in. While we do not want to restrict the user and also it would defeat the purpose of the translation. At least sanitizing the initial markdown input so if any HTML is inputted in it, it should not make way into the produced HTML, as only plain markdown text should. This would adhere to the intentional functionality of the package while making it safer to use.
The text was updated successfully, but these errors were encountered: