The marked-element in insecure by default

[therealmik]

Description

The marked-element has sanitize set to false by default, meaning that users of it are vulnerable to XSS unless it occurs to them to add the word sanitize.

It would be more sensible to add a noSanitize property (that defaults to false), and people that really trust their markdown can set it.

It will be obvious to people who need no-sanitize that something's wrong, and most likely no harm will come to them as a result, unlike the current situation.

Expected outcome

That Polymer projects are not vulnerable to XSS

Actual outcome

Users of the marked-element need to ensure they pass the sanitize attribute to their tags, or they'll be vulnerable to XSS when using user-generated markdown.

[stramel]

These properties are driven by the marked library API. I would bring it up over there. I don't know enough about the details about it.

[therealmik]

I'm not proposing an upstream change, just proposing that we enable secure markdown by default, and allow people that want allow arbitrary html (including scripts) to pass a no-sanitize for rendering trusted markdown.

This poor default has caused numerous XSS vulnerabilities.

So the proposal is simply to remove the sanitize boolean property, and create a noSanitize property that has the inverse meaning.

[sebs]

This is a property of the used markdown lib? Sounds like a sensible default. ;) If there is agreement we should take this in, I can make up a PR for it. Thanks for the indepth report btw