New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

针对 XSS 处理的架构改进 #197

Closed

Chenrt-ggx opened this issue May 25, 2023 · 1 comment

Chenrt-ggx commented May 25, 2023

目前，lute 被发现多种 xss 漏洞，如下：

这表明，lute 在 xss 处理上可能存在架构设计问题、可能存在其它 xss 注入漏洞。因而，个人认为：

如果 lute 希望进行完善的 xss 过滤，建议重新设计并实现 xss 过滤或使用现有的过滤库。
如果 lute 希望尽可能进行 xss 过滤，请不要提供 SetSanitize 这一具有强烈误导性的功能，参考 marked。

Owner

88250 commented May 25, 2023 •

edited

Loading

我们希望 Lute 能够尽可能地进行 XSS 过滤，稍后会在 SetSanitize 函数文档上进行说明，非常感谢。

关联 #51

// SetSanitize 设置为 true 时表示对输出进行 XSS 过滤。
// 注意：Lute 目前的实现存在一些漏洞，请不要依赖它来防御 XSS 攻击。
func (lute *Lute) SetSanitize(b bool) {
	lute.RenderOptions.Sanitize = b
}

88250 closed this as completed in

2afc437

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment