ikkez / cryptdown Goto Github PK

If the webserver hosting cryptdown use a non-standard port, browser will attempt to get the content from standard port.

You can reproduce this by setting FORCE_SSL = false in config.ini then host Cryptdown with php -S 127.0.0.1:8666.

I guess <base href= is missing the port number to use.

I don't use Apache, I use Caddy. Is it possible to get rid of .htaccess? I don't mind "ugly" URLs, for example. Could a setting be implemented so rewrite isn't needed? Thanks!

Whenever I create a new paste it leads me to a page that says "Sorry! Error 404, Status: Not Found
HTTP 404 (GET /view/)"

I got a mail with a nice idea:

For example: First, CryptDown generate a key and a special URL. Then I give the URL to the receiver to let him encrypt his message (without another key since the URL is the public key) and send me the new URL for the encrypted text which I will then decrypt it with the key provided by CryptDown at the beginning.

STR:

1. Type in the markdown window <script>alert(1)</script>
2. Alert comes up :-)

I'd fix this by at best all of the items below:

• disallowing active markup (not that easy when doing yourself, but look at github.com/cure53/DOMPurify for a good third-party solution)
• rendering all markup on a sandbox domain e.g. cryptdownusercontent.com
• applying a strong Content Security Policy. This is considerably easy, when you take into account how small your codebase is.