Security risks with markdown component

Continuing the discussion from How to Insert a Line Break in a String in Perspective:

In the linked thread, PerryAJ refers to security risks involved in using the markdown component. Later, he says “Using the markdown component is not a bad solution for formatting text and will work just fine without enabling markup support.”, which I interpret to mean that while there are security risks involved in using the markdown component, if you don’t enable markup support, there risks are eliminated. However, it’s not clear to me how to use the component without enabling markup support.

Can anyone give me a very short primer (or point me to a suitable article on the topic) to help me understand the following:

  1. What are the risks involved in using the markdown component?
  2. What steps must I take when using the markdown component to eliminate these risks?

For context: I want to use the markdown object as a custom multi-state indicator, by attaching a custom “state” property, and using expression binding on the source to display one of several messages based on the state. I can do this with a standard label, but am unable to create multi-line text. The linked thread provided me with a couple of options to create a line break using the markdown component, but I want to make sure I’m using the component correctly and not introducing security issues.

1 Like

The markdown component itself isn’t high risk. Enabling HTML rendering from raw text input is the potential danger because it could allow for injection. You are literally asking it to inject code when you do that. As the user @code_skin mentioned, this is mostly an issue where you’re supplying unsanitized text to the component from an unknown party.

2 Likes

Ok, I think I understand that. So, I’m exposing myself to risk if I allow a user to manipulate what ends up in the markdown component source e.g. by binding it to a user input field.

However if I use the component with the source bound by expression to a set of pre-defined strings, then there is no risk involved, even if I uncheck “escapeHtml”. Correct?

I don’t have a lot of experience with HTML and am in the process of getting myself up to speed, so I appreciate the advice.

If those constraints (predefined set of strings) are true, then you probably have nothing to worry about. That said, if you wanted to enable some html markup but only a limited set, that is doable too. Any properties you define under the markdown key are passed directly to the underlying Markdown react component we utilize in Perspective. If you look at the docs there, you'll see options for allowedTypes and disallowedTypes, which gives some more control as to what you allow. Note that we are currently using version 3.3, but will likely update to 4.0 before final release.

1 Like