Released vibe-core 1.0.0 and vibe.d 0.8.0
Sönke Ludwig via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Sun Jul 16 02:17:37 PDT 2017
Am 15.07.2017 um 23:54 schrieb tetyys:
> very nice!
>
> one question about the </ encoding:
> https://github.com/rejectedsoftware/vibe.d/commit/e4a600f911218c49f9984734b8ba36f193e99c17
>
>
> wouldn't this
> https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Image_XSS_using_the_JavaScript_directive
> pass normally?
If a user supplied image URL is passed to the "src" attribute unchecked,
then yes. But this would work regardless of the JSON escape rules and
really needs to be prevented by the application code.
However, I just noticed that this is still possible to exploit in the
Markdown processor. User defined HTML is filtered, but link targets are
passed to the rendered HTML as-is (just HTML encoded).
More information about the Digitalmars-d-announce
mailing list