'Markdown in user comments (with proper sanitize and Youtube videos)

I stucked on decision how I should proceed with Markdown processing and Html sanitize. I have this user requirements for comments/articles:

  1. Users should be able to use Markdown syntax
  2. Users should be able to post youtube videos / yandex.music audios
  3. Of course, users shoudn't be trusted and their input should be validated for all kind of attacks
  4. In particular, I don't want to allow users to submit arbitrary iframes

I even submitted fix to markdig library to support yandex.music in media extensions. But now I'm stuck. There is my explored options:

Markdig, then HtmlRuleSanitizer

I configured Markdig to convert youtube/yandex.music to iframes, than sanitize with HtmlRuleSanitizer. HtmlRuleSanitizer doesn't have option to allow iframe only for whitelisted domains — so it either will strip out youtube.com, or will allow evilsite.com. I submitted suggestion but doesn't receive any answer.

HtmlRuleSanitizer, then Markdig

As far as I can understand, that will allow all kinds of XSS attacks — because Markdown-to-Html transform is inherently unsafe.

Html-escape everything, then Markdig.

According to same article, that's not safe also.

Markdig, then HtmlSanitizer

This sanitizer has appropriate hooks (post-process node), but I'm worried about support of this library, and especially of main dependency - AngleSharp support (it has active reproducibles crashes, and seems to be in active development w/o providing stable API, so HtmlSanitizer seems to have hard time to keep on).

So, any suggestions how I could achieve this goal? I refuse to believe that I'm only one with this issue, and I do hope is should be solvable with existing libraries in .net. I'm ready to contribute some feature upstream, if required, but I am not ready to for forking anything. :-)

c++sharpmarkdownhtml-sanitizing


Solution 1:[1]

This is solved by additions to HtmlRuleSanitizer, specifically by addition of IHtmlAttributeSanitizer interface and SanitizeAttributes method.

See example here https://github.com/leotsarev/joinrpg-net/blob/88df35fedc5cee73067e9fec9e850cb02826c576/src/JoinRpg.Markdown/HtmlSanitizers.cs#L45

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Leotsarev

Related Questions