I realized today that some applications out there still use #
BBCode for non-legacy reasons. I really have no idea why anybody would do that in year 2020. It’s a very questionable decision security-wise, and it has no usability benefits either. #
infosec #
security #
XSS
Hypolite Petovan
•Yellow Flag
•Hypolite Petovan
•For applications that only require basic formatting, Markdown is hands down the better candidate for the job, but I have no experience adding custom markup for Markdown so I have no idea what it would entail for us.
Security-wise, we're looking into using an HTML sanitization library so that we can precisely control what's being produced because we've had a recent report about an XSS vulnerabilty so I'm with you on that front.
Yellow Flag
•So it’s all about custom markup? Out of the top of my head, a generic solution with Markdown would be adding some custom HTML tags. These can be processed independently of the Markdown processor, either before or after the processor runs (security-wise the former is preferable but might not be flexible enough).
Hypolite Petovan
•It is about custom markup but it also is about legacy reasons (but your original post was not about them). The Friendica project was started in 2010 by someone who didn't care about the right way to program and cared more about privacy than security or usability. So we have been constantly wrestling with legacy code and behaviors which has somewhat hampered our efforts to improve the software.
Thank you for the suggestion, we also have been looking into using a BBCode lexer to improve both the security and allow tag nesting but we've ran into specific compatibility issues that the upstream library reportedly fixed, but I haven't taken the time to go back to it.
Beko Pharm (deprecated)
•Hypolite Petovan
•Notice the different display name and profile picture than both his current on Mastodon and on GitHub.
Beko Pharm (deprecated)
•Hypolite Petovan
•Additionally, missing the connection was inconsequential because I would have replied the same to him whether I knew he posted the GitHub issue or not as we didn't go into the why on the issue.
Yellow Flag
•Hypolite Petovan
•