You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now we are trusting that users who can access the admin site to create content will not do anything malicious. The current behavior allows users to input <script> tags into their content which could lead to all sorts of XSS attacks. This issue will become especially concerning if we expand to allow user comments or anything like that.
The workaround is to use something like bleach to remove any HTML tags in the rendered output that aren't on a whitelist. Because of the extra work rendering will take, it might be smart to start storing the rendered version of a post in the database and recomputing it if the markdown content changes.
The text was updated successfully, but these errors were encountered:
Right now we are trusting that users who can access the admin site to create content will not do anything malicious. The current behavior allows users to input
<script>
tags into their content which could lead to all sorts of XSS attacks. This issue will become especially concerning if we expand to allow user comments or anything like that.The workaround is to use something like
bleach
to remove any HTML tags in the rendered output that aren't on a whitelist. Because of the extra work rendering will take, it might be smart to start storing the rendered version of a post in the database and recomputing it if the markdown content changes.The text was updated successfully, but these errors were encountered: