Skip to content

CSS Injection #1622

New issue
New issue
Open
Open
CSS Injection#1622
Labels
customizationenhancementWants to improvide an existing feature
@koraa

Description

@koraa
koraa
opened on Nov 18, 2020

Codimd seems to support custom CSS. This opens the door to adding malicious CSS payloads. On the harmless end, this would be an example:

body { opacity: 0; }

Do server admins currently have the ability to disable custom CSS?

In cases where the feature is enabled, I suggest you employ a sandboxing approach; moving the displayed markdown to inside an iframe and leaving this issue open to track the implications of custom CSS and develop novel sandboxing ideas.

Metadata

Metadata

Assignees

No one assigned

    Labels

    customizationenhancementWants to improvide an existing feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions