Security feature request: a setting to block inline javascript #465
Labels
👀 no/external
This makes more sense somewhere else
Comments
Hi, could you please share your approach to filter those elements. |
|
Sure - we're sniffing for onX in a tag. If we find it, we re-enable escapeHtml for safety: |
|
This would be supported more directly through #428, which supports https://github.com/rehypejs/rehype-sanitize |
wooorm
added a commit
that referenced
this issue
Apr 12, 2021
* Replace `renderers` w/ `components` * Replace `allowNode` w/ `allowElement`, which is now given a hast element (as the first parameter) * Replace `allowedTypes` w/ `allowedElements` * Replace `disallowedTypes` w/ `disallowedElements` * Change signature of `linkTarget` and `transformLinkUri`, which are now given hast children (as the second parameter) * Change signature of `transformImageUri`, which is now given the `alt` string as the second parameter (instead of the fourth) * Replace `plugins` w/ `remarkPlugins` (backwards compatible change) * Add `rehypePlugins` * Change `includeNodeIndex` to `includeElementIndex`: it still sets an `index`, but that value now represents the number of preceding elements, it also sets a `siblingCount` (instead of `parentChildCount`) with the number of sibling elements in the parent * The `columnAlignment` prop is no longer given to table elements: it’s available as `style` on `th` and `td` elements instead * The `spread` prop is no longer given to list elements: it’s already handled Remove buggy HTML parsers from core * If you want HTML, add [`rehype-raw`](https://github.com/rehypejs/rehype-raw) to `rehypePlugins` and it’ll work without bugs! * Remove `allowDangerousHtml` (previously called `escapeHtml`) option: pass `rehype-raw` in `rehypePlugins` to allow HTML instead * Remove `with-html.js`, `plugins/html-parser.js` entries from library * Remove naïve HTML parser too: either use `rehype-raw` to properly support HTML, or don’t allow it at all Closes GH-549. Closes GH-563. The following issues are solved as rehype is now available: Closes GH-522. Closes GH-465. Closes GH-427. Closes GH-384. Closes GH-356. The following issues are solved as a proper HTML parser (`rehype-raw`) is now available: Closes GH-562. Closes GH-460. Closes GH-454. Closes GH-452. Closes GH-433. Closes GH-386. Closes GH-385. Closes GH-345. Closes GH-320. Closes GH-302. Closes GH-267. Closes GH-259. The following issues are solved as docs are improved: Closes GH-251.
|
This should be solved by landing GH-563 today, which will soon be released in v6.0.0! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Firstly, thank you for this useful package 👍
We want to allow html (so
escapeHtml={false}) -- but not allowonClick,onMouseOver,onXetc handlers -- as these would allow an attacker to inject javascript traps.I don't think there is a way to do this. So I'm requesting a feature to block inline javascript.
Meanwhile, we can achieve this by pre-filtering the input with a few regexs.
The text was updated successfully, but these errors were encountered: