Skip to content
This repository has been archived by the owner on Jan 21, 2023. It is now read-only.

HTML tags should be escaped #144

Closed
deanpcmad opened this issue Jan 6, 2021 · 2 comments · Fixed by #248
Closed

HTML tags should be escaped #144

deanpcmad opened this issue Jan 6, 2021 · 2 comments · Fixed by #248

Comments

@deanpcmad
Copy link

I've just found this app and it looks really neat. While playing around with the example I found that any html tags can be added, which can be a security risk.

For example, adding the iframe tag:
https://og-image.vercel.app/**Hello**%20World%20%3Ciframe%20src='https:/deanpcmad.com/testfile.html'/%3E.png?fontSize=100px&theme=light&md=1

Renders out an image with an iframe:

test

I'm not sure if this is by design, I just feel html tags should be escaped?
@styfle
Copy link
Member

styfle commented Jan 9, 2021

Hi @deanpcmad

This is expected when the md=1 option is used since markdown accepts arbitrary html.

You can use md=0 to use literal text instead.

You could also add something like sanitize-html or dompurify if you wanted to narrow down the accepted list of html tags.

@leerob
Copy link
Member

leerob commented Jan 19, 2023

Closing in favor of #226

@leerob leerob closed this as completed Jan 19, 2023
@styfle styfle mentioned this issue Jan 20, 2023
Merged
styfle added a commit that referenced this issue Jan 20, 2023
@styfle
Remove markedjs dependency (#248)
8c60a5c 
- Fixes #144
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove markedjs dependency vercel/og-image
3 participants
@styfle @deanpcmad @leerob