Quantcast
Channel: Mattermost Discussion Forums - Latest posts
Viewing all articles
Browse latest Browse all 25778

URLs that are non-UTF-8 format

$
0
0

Hi @lfbrock, Thank you for considering my request.

I understand that you are using the decodeURIComponent() in order to detect the URL with the risk of XSS.

It is not an essential support to be able to decode a variety of character set for this matter.

decodeURIComponent() possible that doesn't guarantee that there is no risk of JavaScript execution.

For example, decodeURIComponent() doesn't throw exception in the harmful URL of the following:

It is not appropriate to use for the decodeURIComponent () to avoid XSS.

In fact, XSS doesn't hold if the current implementation of the Mattermost be removed this decodeURIComponent (). marked.js will not be reached harmful string to MattermostMarkdownRenderer#link because it doesn't determine the string and link items, including such as the javascript:// and <script>. So I submitted the PR.

If MattermostMarkdownRenderer would like to harmful URL invalidated as an independent module, it can be realized by the code, such as:

if (/[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]/.test(href)) {
	return '';	
}

Repeatedly say that may not be considered to correspond to various character set in MattermostMarkdownRenderer#link. Where it is only necessary sanitization by detecting just harmful URL.


Viewing all articles
Browse latest Browse all 25778

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>