-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS in feed content isn't sanitized at all. #111
Comments
That's because of: moonmoon/app/classes/PlanetFeed.php Line 26 in ee9c408
Switching it to Maybe we should make both the full trigger configurable (but not recommended), or make a custom selection of the features to turn on/off? At least to force |
It's almost the same config as `set_stupidly_fast(true)` only we don't want to touch at `add_attributes` (because it's valuable safety) and we do want to strip specific tags (among which <script>, see moonmoon#111).
Expected behavior
I expect javascript in feed content NOT to be run
Actual behavior
Javascript in feed content runs
Steps to reproduce
<script>document.location.replace('https://example.com');</script>
)Moonmoon version
9.0.0-rc.3
The text was updated successfully, but these errors were encountered: