Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Strip HTML Tags from Q&A comments
See original GitHub issueDescribe the bug
Artemis seems like it is not filtering multiple types of HTML Tags. At least everywhere where markdown is allowed, HTML works almost unrestricted.
To Reproduce
- Go to a page where markdown embedding is allowed (either the instructors’ view or the Q&A Sections)
- Add HTML Style Tags or something similar to your comment
- Save the change
- Reload the page
Expected behavior
The HTML Tags should get removed (at least most of them). Script tags seem to get removed, but I am pretty sure there are ways to exploit this feature and execute JavaScript in the client too.
Ideas I have not tried before: Add an img tag with no src and add JavaScript as an onerror attribute. If you get this to work, you should be able to do anything. (Edit: attributes seem to also get removed, so this should not be a problem)
Screenshots
The Tutorial Course Page after inserting a style tag into the comments, which flips the whole page.
You are even able to rewrite complete parts of the problem statement.
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I will keep this updated
Tags that we use in exercise problem statements:
<code><pre><style><detail><summary></summary></detail>I drafted a PR which will restrict what can be used in student questions and answers, but leave other areas (e.g. exercise problem statements) untouched: #2593