Comments (5)
I thought about it before releasing but I don't want to remove such flexibility from Wink just to protect you form yourself or your team. I want you to be able to embed anything in the editor (Tweet, Instagram Post, YouTube Video, ServiceThatIsNotPopular Embeddable card, etc...)
With that comes risk yes, but if there's no trust between you and your team there's more harm than XSS can be done :)
from wink.
A cleaver way might be if we leave the option to the user, let's say we add "activate XSS protection" as a boolean value in the config, what do you think?
from wink.
@themsaid Fair enough... I would still add a mention somewhere as there might exists some sneaky 2 stage attacks this behaviour helps a lot.
But to be fair, HTMLPurifier could be use to remove at least the blatant js hacks based on html attributes and script tags. It wouldn't prevent you from using iframes and the rest for embeded cards.
With that comes risk yes, but if there's no trust between you and your team there's more harm than XSS can be done :)
Do you trust anyone you work with to be good with computer and never leave their logged in phone on a table ? Even without malice, a naive team member can do harm in this setup.
Once again, your call, but I'd add a disclaimer.
from wink.
@Lelectrolux I think I'm going to close this for now since I'm not really willing to disable the HTML embeds, but adding a note about it in the docs is a good idea. Will make sure I do that when the docs are ready.
Thanks :)
from wink.
Have a nice day.
from wink.
Related Issues (20)
- <pre> tag cause issues with highlightJS
- How can I use JetStream on Wink? HOT 1
- Using wink in a multi user blogging laravel application HOT 2
- Add ability to delete images attach when the post is deleted HOT 1
- Do you have documentation of the project?
- Logout (GET) and Login (POST) result in error if WINK_PATH is set to "/"
- How to avoid usage of new Function inside compiled app.js HOT 1
- Associate users with roles and permissions HOT 1
- Latest Laravel 9 php 8.1 HOT 4
- Publish assets not working HOT 1
- A notification should be created once the new post is created. HOT 2
- Using basic laravel authentification HOT 1
- Is this package abandoned? HOT 11
- Does Laravel 9 and php 8.1 support? HOT 1
- Will this support Laravel 10? If yes, by when? HOT 3
- Unable to Install on Laravel 10 with PHP 8.1 HOT 5
- I forgot my password and can't reset HOT 1
- Publish js/php files to modify and regenerate SPA {development and production workflow} HOT 1
- Blank page on production
- Tags and Slug Error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wink.