I use sanitize html for xss attacks,if i want to use Markdown.js

Question

I use Markdown.js and i use sanitize-html for xss attacks.

I read most articles about xss attack (if want to use markdown.js) like this markdown securely and one more markdown-xss-testing.

Please look at my codes,this is enough or not(for xss attack).

This is my server.js:

var comment=req.body.comment;
var z=markdown.toHTML(comment);
   var clean = sanitizeHtml(z, {
  allowedTags: ['b', 'i', 'em', 'strong', 'a','h1','img','blockquote'],
  allowedAttributes: {'a': [ 'href' ],'img':['src']},
  
  allowedIframeHostnames: []
})
console.log(clean)

And i tried some codes(values are req.body.comment) for xss attacks, like here:

[Example](javascript://\nalert%28%22xss%22%29)//req.body.comment  
{@onclick=alert('hi')}some paragraph          //req.body.comment
[test](javascript://%0d%0aprompt(1))          //req.body.comment

Outputs here console.log(clean):

<a>Example</a>  
{@onclick=alert('hi')}some paragraph //not clickable
<a>test</a>

I have tried many other code and always avoided attacks.

I do not know English very well, I could not explain my question very well.So soryy. — ŞükSefHam, Feb 20 '18 at 19:50
For reference, I've asked a similar question about `DOMPurify` and `markdown-it` that may be of help: https://stackoverflow.com/questions/52741262/how-to-install-import-and-use-dompurify-in-frontend-js-file — user1063287, Oct 10 '18 at 13:40

I use sanitize html for xss attacks,if i want to use Markdown.js

0 Answers0