Hugo + CMS and 'unsafe = true'

iaeiou · October 9, 2021, 1:12am

Hi there,

we are reviewing Hugo Themes, in particular Netlify-CMS compatible themes.

We would like with this CMS to open the publication:

to users with no technical skills ( i.e pasting random content in the CMS)
to users we don’t trust ( i.e potentially trying to exploit the platform)

No moderation will take place, the content goes straight from the CMS to some live & public HTML.

Question #1: Do you have general advice about this usecase?
(let’s first consider that unsafe is set to false)

The case of unsafe = true

Some appealing themes are shipping Netlify-CMS / Forestry and use the following setting in config.toml:

[markup.goldmark.renderer]
  unsafe = true

The documentation is short on this topic (see also #6581).

Question #2: How to scope the risks induced by this setup? Is the content absolutely unfiltered in such a situation?

Question #3: Do you think of a way to properly filter the content submitted via a CMS?

Thanks!

jmooring · October 9, 2021, 4:12am

Yes. Don’t do it.

Yes. A user could include this with their markdown:

<script>
  alert("Ha ha ha");
</script>

<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Libre+Barcode+39&display=swap" rel="stylesheet">

<style>
  body {
    font-family: 'Libre Barcode 39', cursive;
    font-size: 400%;
    color: red;
  }
</style>

After pressing OK in the “Ha ha ha” alert popup, any text on the page will be rendered as a giant red barcode.

Or they could just burn CPU cycles and freeze the browser tab with:

<script>
  var i = 0;
  while (1) {
    console.log(i)
    i++
  }
</script>

Moderate the content (or limit to trusted users) and use the default security model (unsafe = false).

iaeiou · October 9, 2021, 5:13am

It couldn’t be any clearer, thank you @jmooring !

The solution is to implement selected usage with shortcodes I guess.

pamubay · October 9, 2021, 5:51am

Also note, even you set unsafe=false,

since Markdown Attributes feature released, event handler can be attached to code fence via on<event> in markdown attributes, and there is no config to disable this.

# do not directly copy below code, it contains zero-width space before the triple backticks (to avoid discourse render it)

```html {onclick="alert('xss')" onmouseenter="alert('xss-onmouseenter')"}
<h1>Hello World</h1>
```

@jmooring @iaeiou

iaeiou · October 9, 2021, 6:08am

Also note, even you set unsafe=false ,

since Markdown Attributes feature released, event handler can be attached to code fence via on<event> in markdown attributes, and there is no config to disable this.

Confirmed, tested with unsafe = false and an alert is displayed.

system · October 11, 2021, 6:08am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hugo with a CMS for Open-publishing: security with Markdown Attributes support	9	1285	February 10, 2022
A new Hugo + Netlify CMS starter is out! Showcases netlify , cms	0	1698	May 19, 2022
Do you set `unsafe = true` in `[markup.goldmark.renderer]`? support	12	3722	January 1, 2023
Styles Not Working on GitHub support	5	474	August 1, 2018
Hugo minimal HTML support	12	1490	April 25, 2020

Hugo + CMS and 'unsafe = true'

The case of unsafe = true

Related Topics