DR: Sanitize project markdown to prevent Liquid Injection attacks - hackforla/website GitHub Wiki
This is a record in the Decision Records on Solutions Not Implemented.
Issue
Problem Statement
Sanitizing project data by escaping HTML tags in the imported markdown for each project to prevent Liquid Injection attacks.
Potential Solution
Refactoring the project loading code in assets/js/current-projects.js
to use regular expressions to escape HTML special characters before parsing the YAML into a JSON object rather than using liquid objects.
Feasibility Determination
It was decided that since some projects use HTML tags in their descriptions (namely line breaks) and since any malicious code added to a project's markdown file would have to be added by someone with access to the entire codebase anyway, this issue would not provide enough of a security benefit to be worth the restrictions it would place on project descriptions.