-
-
Notifications
You must be signed in to change notification settings - Fork 777
DR: Sanitize project markdown to prevent Liquid Injection attacks
This is a record in the Decision Records on Solutions Not Implemented.
Sanitizing project data by escaping HTML tags in the imported markdown for each project to prevent Liquid Injection attacks.
Refactoring the project loading code in assets/js/current-projects.js
to use regular expressions to escape HTML special characters before parsing the YAML into a JSON object rather than using liquid objects.
It was decided that since some projects use HTML tags in their descriptions (namely line breaks) and since any malicious code added to a project's markdown file would have to be added by someone with access to the entire codebase anyway, this issue would not provide enough of a security benefit to be worth the restrictions it would place on project descriptions.
Click the arrow below each category to view links (or view original alphabetical list by clicking "Pages" above) :