Cross-Site Scripting

hoangloi

First, I highly rated Automad, this is all that is needed for me by a designer. Track from the first release to the present I decided to use the Automad for my client. It is very easy to reach however there are 1 problems that occur with the in-page editor mode. It accepts for JavaScript launching by embedding directly into it. This inadvertently leads to the risk of being attacked by Cross-site Scripting (XSS). So I believe we must eliminate this to avoid attacks with bad intentions to our site. Or if I have missed information about it you can help me deactivate this function.

This can happen in the Markdown formatted text @{ text | markdown }. With variables can be avoided by adding stripTags.

mad

hoangloi Hi, the In-Page editing is only available when beeing authenticated. That means that nobody can add JS except the user. The ability to add custom JS is actually quite important in some circumstances. Or maybe I misunderstand you? Could you please elaborate a bit more?

hoangloi

mad Hi Mad, Thank you for your reply. I understand the In-Page editing is only available when beeing authenticated. The scenario can happen like this: My client is a person who knows nothing about security. They often copy and paste content on the Internet. There will be moments when they accidentally copy content containing malicious code described through <script></script>. We can keep it, but I believe it should be more optional to remove the JS script for the user merely.

mad

hoangloi Hi, I understand. But in that case your client is part of the security issue. One option would be that you remove JS tags for your client's theme using replace to keep all other tags. But in my opinion that should not be the general approach. Many people want to add custom JS like Google Analytics or similar and they should have the option to do so I think.