The marked-element in insecure by default #40
Labels
Comments
|
These properties are driven by the marked library API. I would bring it up over there. I don't know enough about the details about it. |
|
I'm not proposing an upstream change, just proposing that we enable secure markdown by default, and allow people that want allow arbitrary html (including scripts) to pass a no-sanitize for rendering trusted markdown. This poor default has caused numerous XSS vulnerabilities. So the proposal is simply to remove the sanitize boolean property, and create a noSanitize property that has the inverse meaning. |
|
This is a property of the used markdown lib? Sounds like a sensible default. ;) If there is agreement we should take this in, I can make up a PR for it. Thanks for the indepth report btw |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The marked-element has sanitize set to false by default, meaning that users of it are vulnerable to XSS unless it occurs to them to add the word sanitize.
It would be more sensible to add a noSanitize property (that defaults to false), and people that really trust their markdown can set it.
It will be obvious to people who need no-sanitize that something's wrong, and most likely no harm will come to them as a result, unlike the current situation.
Expected outcome
That Polymer projects are not vulnerable to XSS
Actual outcome
Users of the marked-element need to ensure they pass the sanitize attribute to their tags, or they'll be vulnerable to XSS when using user-generated markdown.
The text was updated successfully, but these errors were encountered: