Replies: 49 comments 2 replies
-
I say we remove sanitizing all together and recommend |
Beta Was this translation helpful? Give feedback.
-
I'm +1 for using any external sanitizers only as we've never really used the internal one here. Even in the DOM we don't utilize it e.g. using Be aware that this change could affect other packages so strong announcements and CHANGELOGs are highly appreciated (and of course semver announcements too). :) |
Beta Was this translation helpful? Give feedback.
-
@Martii: Thanks for chiming in as well. Right now we don't have a direct way to contact users. I was hoping more people would have added themselves to the "users" portion of the Authors page, to be honest. So, we're counting on the tickets, milestones, and projects to give people the warning. We'll probably spend most of 1.x preparing people to lose things. @UziTech: Agreed. Tagging #1114 |
Beta Was this translation helpful? Give feedback.
-
If you're discussing escaping HTML... here's a solution that utilizes a browsers own filtering. If it breaks it means there's a browser vulnerability and you made yourself some nice pocket change via their vulnerability rewards program. var escape = document.createElement('textarea');
function escapeHTML(html) { escape.textContent=html; return escape.innerHTML; }
function unescapeHTML(html) { escape.innerHTML=html; return escape.textContent; } This doesn't solve the XSS vuln in the comment above but does for plenty of other things, assuming one doesn't want HTML code passthrough :) |
Beta Was this translation helpful? Give feedback.
-
Another 3rd party sanitizer I just found: https://github.com/rhysd/marked-sanitizer-github I can't say how secure it is but the point remains that marked doesn't need to ship with a sanitizer. Update: let's make a list of popular sanitizers so our users don't need to search the millions of packages and then they can make a decision:
➡️ See my response in #1388 for example code. |
Beta Was this translation helpful? Give feedback.
-
I think it's nice if marked has sanitization built-in. I tried to use |
Beta Was this translation helpful? Give feedback.
-
We will most likely have a plug-in to do sanitization with a third party library in the future to make it easy for people to use, but it doesn't make sense for core marked to have sanitization built in because it is not part of the markdown specs. |
Beta Was this translation helpful? Give feedback.
-
As a matter of fact the common mark spec explicitly allows unsanitized html |
Beta Was this translation helpful? Give feedback.
-
A plugin would be very nice. I am not an expert in XSS prevention and HTML sanitization (and I feel many other users aren't too) so it would be awesome if there is a standard/recommended way to do it. I found some articles online with examples like this one https://shuheikagawa.com/blog/2015/09/21/using-highlight-js-with-marked/ which seem to open up a possibility for XSS. Perhaps the plugin can be included by default (or in the getting started guide) because I am afraid many users don't realize the risk and apply the same marked configuration to untrusted data. |
Beta Was this translation helpful? Give feedback.
-
I wrote a benchmark to evaluate different sanitizers https://github.com/OrKoN/marked-benchmark I got some interesting results:
So with dom purify it seems to be roughly twice slower for me compared to the built-in sanitizer. P.S. updated the results. The previous message contained the wrong ones. |
Beta Was this translation helpful? Give feedback.
-
Another 3rd party sanitizer which looks suitable https://github.com/bevacqua/insane |
Beta Was this translation helpful? Give feedback.
-
FWIW, I just tried plugging in a third-party sanitizer (insane) for use with the const renderer = new marked.Renderer();
renderer.html = html => insane(html);
marked.setOptions({ renderer });
marked('<img src="sdfg" onerror="alert(1)">');
// expected: '<p><img src="sdfg"></p>'
// actual: '<p><img src="sdfg" onerror="alert(1)"></p>' It seems like the only safe way of doing this is passing the whole rendered output through the chosen third-party sanitizer, i.e. first set whitelist options that play nicely with your markdown setup (example for insane + marked + hljs), then use as a wrapper like this: insane(marked(input), insaneOptions); |
Beta Was this translation helpful? Give feedback.
-
@lionel-rowe I am wondering what is your use case? Because for me the expected result for the img case would be: |
Beta Was this translation helpful? Give feedback.
-
@lionel-rowe I have added your config for Does anyone have a good config for |
Beta Was this translation helpful? Give feedback.
-
@OrKoN See this DOMPurify comment for example usage. |
Beta Was this translation helpful? Give feedback.
-
@UziTech I just wanted to chime in here to say that I agree with @OrKoN that there are 2 different concepts of "sanitize" that are being conflated. I fear that the move to remove the
outputs
This is desired when the user entered content should be escaped HTML. One nice thing about keeping this functionality in the core of marked is that marked is the only functional layer that understands what's output and what's input. Consider this:
It's actually part of the Markdown spec to escape "<" with "\" (backslash) to identify html elements. This should also output the same thing as the example from above. None of the proposed solutions (DOMPurify, et al) solve this problem at all. I actually think this parameter should be renamed TL;DR: |
Beta Was this translation helpful? Give feedback.
-
@koczkatamas I'd like your thoughts on the above comment as well, since it looks like the current deprecation warnings were in your commit |
Beta Was this translation helpful? Give feedback.
-
@lunaru well, if you can solve escaping securely, then it's okay on my part, but I am not sure that the current (hardened) sanitize cannot be bypassed and used for XSS that's why I recommended deprecation. |
Beta Was this translation helpful? Give feedback.
-
@koczkatamas I think the sanitize vs escape concept might be conflated. Why does escape need to be 100% secure when sanitize will ultimately "guarantee" proper sanitization? A proper secure pipeline looks like this: As an example, this is perfectly valid:
And it's not the same as this:
That's because the |
Beta Was this translation helpful? Give feedback.
-
@lunaru escaping input and sanitizing output are separate tasks from converting markdown to html, which is why I believe it should be done separately.
I agree that marked should allow extensions to access it's tokenized data and alter it like #1232 (comment) I would like marked to be more extensible so we can focus on the task of converting markdown to html according to the specs, and other developers can focus on other tasks (sanitizing, escaping, etc). |
Beta Was this translation helpful? Give feedback.
-
@UziTech I don't disagree with the intention. However, I do think before removing the Also, I don't think the problem is that trivial. Consider the following, taken as an adaptation of your comment above:
Note that the output to
This outputs |
Beta Was this translation helpful? Give feedback.
-
I agree. The game plan right now is to get to 100% commonmark and gfm compliance then release v1.0 with (almost) all options deprecated, then make marked more extensible and remove options in v2.0 We will try to maintain a few extensions that function like each option we remove. |
Beta Was this translation helpful? Give feedback.
-
I agree sanitizing HTML is not the responsibility for marked. However since the deprecation notice I'm using this combination everywhere where I previously used only marked (browser apps): import marked from 'marked';
import DOMPurify from 'dompurify';
DOMPurify.sanitize(marked(myVar)) |
Beta Was this translation helpful? Give feedback.
-
Pluggable feature is good. |
Beta Was this translation helpful? Give feedback.
-
That is exactly what we want to see, the community making extensions 💯. Ideally marked will handle converting markdown to html according to the spec and extensions will allow users to change the functionality. We will hopefully be releasing v1.0 soon with a new extension system so extending marked will be easier in the future. |
Beta Was this translation helpful? Give feedback.
-
@UziTech Nice! |
Beta Was this translation helpful? Give feedback.
-
I've just created marked-plugin-sanitizer as PoC.
So marked-plugin-sanitizer works, but it is tricky code. |
Beta Was this translation helpful? Give feedback.
-
If you are trying to do any pre-processing of the markdown or post-processing of the html your better off just having them send your package the markdown and run it through marked inside your package. |
Beta Was this translation helpful? Give feedback.
-
a sanitizer is not really a panacaea for these kind of problems. it would be good to see marked use safe DOM operations ( |
Beta Was this translation helpful? Give feedback.
-
@Zemnmez marked converts markdown to html not to DOM nodes. Although you could create a renderer that does that. |
Beta Was this translation helpful? Give feedback.
-
Marked version: 0.3.19
Markdown flavor: n/a
Proposal type: other
What pain point are you perceiving?
Marked is taking on too much; or, at least more than it needs to.
What solution are you suggesting?
It appears at some point someone had the idea of adding sanitization to marked. Later, someone else had the idea of letting people plug in their own sanitizer.
I suggest we go for the latter and deprecate the former. Turning on sanitize doesn't really seem to give us much in all honesty.
Beta Was this translation helpful? Give feedback.
All reactions