-
Notifications
You must be signed in to change notification settings - Fork 527
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitization of user generated content #720
Comments
I made a little more research... StackOverflow and Github for example accept the basic HTML tags inside Markdown and the Markdown standard says the same. They simply strip (StackOverflow) or escape (Github) the unsafe tags (e.g. The strange thing about the default HTML renderer included in this gem, is that it escapes/strip all or nothing. It doesn't have a way to remove only the unsafe tags (like StackOverflow and Github do). An alternative would be to render all HTML tags and then use an external |
And if anyone is curious why you can't add Here's a 1 liner you can copy / paste into the Rails console to auto link links and automatically add ActionController::Base.helpers.sanitize(Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(link_attributes: { rel: "nofollow" }), autolink: true).render("https://example.com"), attributes: ["rel"]) But this lets the user override ActionController::Base.helpers.sanitize(Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(link_attributes: { rel: "nofollow" }), autolink: true).render('<a href="https://example.com" rel="">example</a>'), attributes: ["rel", "href"]) Another solution could be to do a second pass on the rendered HTML after |
For anyone just looking for a solution, here’s an example of the inefficient triple pass in Rails: html = markdown.render(content)
sanitized_html = sanitize(html)
nofollowed_sanitized_html = sanitize(sanitized_html, scrubber: Loofah::Scrubbers::NoFollow.new) Of course ideally you’d be able to accomplish this with just Redcarpet. |
To disincentivize spamdexing, links in user-generated content should be disavowed by annotation with `rel="nofollow"` attributes: - https://en.wikipedia.org/wiki/Nofollow Automated spam has already targeted OSEM in the wild: - SeaGL/organization#274 Ideally link annotation would be performed during Markdown rendering or a single sanitization pass, but this is currently an unresolved issue: - vmg/redcarpet#720
For me, the point of markdown is to remove the problems associated with insecure user input. I do want to permit some tags that are not natively supported however, e.g. So why not strip out anchor tags and only allow them via autolinking? markdown = '<a href="https://google.com" rel="">google.com</a> and <a href="https://example.com" rel="">https://example.com</a>'
# give a whitelist of tags to permit
# ENSURE that `a` is not included
tags = %w[strong em sub sup details summary]
sanitized = ActionController::Base.helpers.sanitize(markdown, tags:) # "google.com and https://example.com"
Redcarpet::Markdown.new(
Redcarpet::Render::HTML.new(link_attributes: {rel: :nofollow, target: :_blank}),
autolink: true
).render(sanitized) # "<p>google.com and <a href=\"https://example.com\" rel=\"nofollow\" target=\"_blank\">https://example.com</a></p>\n" |
Hello,
I read in the description that Redcarpet is "The safe Markdown parser".
Does that mean that it is safe to use it for untrusted user input? (e.g. forum, Q&A, comments, chat, etc.)
In particular I have tried:
Option 1
Use only this gem:
Downside: Users cannot use HTML tags inside markdown.
Option 2
Use another strategy (Rails
sanitize
) for sanitization:Downside: You cannot add
rel nofollow
to links.Documentation
It seems a pretty common need to use markdown parsing on user generated content (ugc).
Unfortunately I haven't found anything in the docs.
What strategy do you recommend?
The text was updated successfully, but these errors were encountered: