Using Markdown with Sanitization
Websites often use Markdown to allow their users to create content. It provides a lightweight markup language that can be converted to HTML and other formats by many common libraries.
There has been some recent discussion in the news about Markdown based XSS exploits in major websites like Pastebin.
The root of the issue it that Markdown specification actively encourages HTML in Markdown, but that isn’t a good default for sites who are worried about code injection attacks.
I’ve spent the last few weeks thinking about React from a secure coding perspective. Since React is a library for creating component based user interfaces, most of the attack surface is related to issues with rendering elements in the DOM. The smart folks over at Facebook have handled this by building automatic escaping into the React DOM library code.
Built-in Escaping is Limited
The escaping code in React DOM works great when you are passing a string value into
[...children] . Notice the other two arguments to
[props], values passed into them are unescaped.