Comments (5)
Note: I originally posted this as a comment in #8 but since I don't have permission to reopen that issue, I started a new one.
from github-renderer.
Do you have any suggestions as to what we could do to stop scripts from exploiting that?
from github-renderer.
OK took a closer look.
First tried my initial suggestion:
<iframe src="https://raw.github.com/dergachev/githtml/master/example.html" width="400" height="400" />
This fails because github purposely discourages hosting the HTML from github.com (instead of their Github Pages platform). See this related discussion
So the only other idea I have (without resorting to a proxy service, of course) is to use the HTML5 iframe sandbox/srcdoc attributes. I hacked my version of githtml.js to use it as a quick proof of concept.
See the top of my fork's README.md to see a diff of my hacks, and to get a URL for githtml-sandbox bookmarklet: https://github.com/dergachev/githtml
It seems to work in Chrome, in the sense that it doesn't allow XSS, and it renders the pages and even executes their JS.
However, my brief testing suggests that it renders complex pages poorly (try it on https://github.com/HPNeo/gmaps/blob/master/examples/context_menu.html) , but I can't tell if it's due to fundamental problems of introducing the security restrictions, or because I adapted your code poorly (escaping, relative link handling, etc).
It's all supported in chrome, but not srcdoc isn't supported in firefox yet.
Read more:
- http://caniuse.com/iframe-sandbox
- https://developer.mozilla.org/en-US/docs/HTML/Element/iframe#Browser_compatibility
- http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
- http://www.sitepoint.com/how-to-safeguard-your-site-with-html5-sandbox/
Thoughts?
Personal note: I'd be happier if you avoid using 1 or 2 character variable names, as it breaks my standard CMD-F code exploration technique, and forces me to use the chrome JS debugger to figure out what's going on.
from github-renderer.
Oh, just came across this alternative approach: http://htmlpreview.github.com/
Because it uses a free yahoo proxy service (via YQL), it doesn't have the security problems of executing strange code in the github.com context.
On the other hand, there's a dependency on Yahoo's free service... who knows how long that'll be around?
Here's their code: https://github.com/htmlpreview/htmlpreview.github.com/blob/master/htmlpreview.js
It'd be pretty easy to make a bookmarklet for it.
from github-renderer.
An unrelated security point... it's probably safer to give people a bookmarklet that references a JS file at a given git commit, rather than repo head. That is, this:
javascript:(function(){var d=document,s=d.createElement('script');s.src='//raw.github.com/ryt/githtml/103a0a8b91cb0b33485e8e92a642b663f6f04cdb/githtml.min.js?2';d.body.appendChild(s);})();
Instead of this:
javascript:(function(){var d=document,s=d.createElement('script');s.src='//raw.github.com/ryt/githtml/master/githtml.min.js?2';d.body.appendChild(s);})();
This means that should someone get access to your github account and push a malicious change to githtml.min.js, they won't be able to get all the users of this bookmarklet to pull it in automatically.
from github-renderer.
Related Issues (8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from github-renderer.