Fix typo in markdown sanitizer (#111258)
There was / is a typo in `markdownRenderer.js` that allowed any *trusted* document to pass arbitrary HTML through the marked.js sanitizer provided it is wrapped in `<span></span>` tags, or similar. What could you have done with this? Not much that was not already possible in trusted mode, which, as far as I can tell is used just for Jypiter Notebooks that pretty much definitionally can execute Python anyway. Insane strips everything worthwhile except `<a data-href=''/>` which you can use to send `command:` URIs on click (`javascript:` URIs are disabled at a higher level of abstraction), but are already whitelisted (L141) for trusted documents.
Showing
想要评论请 注册 或 登录