pijul_org / pijul

#107 Nest does not sanitize HTML in comments

Opened by michieldemuynck, on May 30, 2017
pmeunier commented on May 30, 2017

Hi! Thanks for reporting.

I just have two comments:

  • Nest does sanitise HTML, by using a standard markdown parser/renderer. Let's try it with backquotes: <usize>.

  • This issue would belong more in [/pijul_org/nest], but it's ok to keep it here.

michieldemuynck commented on May 30, 2017

For example: The following text should appear as "< b > test < / b >", without spaces, instead of appearing as bold text:


This should be fixed urgently because it allows cross-site scripting attacks.

pmeunier commented on May 30, 2017

Oops, thanks a lot for reporting that, this is indeed urgent.

Pijul is already protected against XSRF, but running arbitrary JS would allow the attacker to get the user's cookies, which is really bad.

Is there a standard solution to this?

pmeunier commented on July 2, 2017

I fixed this long ago, but for some reason forgot to close this issue. Thanks for reporting!