Hi
It is found that page (RunKit) has XSS possible, If you run following code in code snippet
var reactNativeHtmlToMarkdown = require("react-native-html-to-markdown")
var markdown = reactNativeHtmlToMarkdown.convert('<script>alert(1)</script>');
Hi there,
Thank you for raising this concern. Rest assured, the code you’re running is securely sandboxed and will not result in a XSS exploit. If you inspect the DOM after the code is run you will see that not only on a completely separate domain, but also a unique subdomain. This technique leverages the browsers own same-origin sandboxing security model. This alert, or any javascript you might run, will not be able to break out of the sandbox and talk to the parent page.
RunKit is a tool for running arbitrary code, as such we’ve taken several measures to ensure it’s secure.
Thanks again,
- Randy
Hi Randy
I totally get your point. Good to know that it’s secure. Thanks for building such a nice tool.
Regards
Gurdeep