Would you do it? Is "writing your own website" an activity that could be described as "untrusted user generated content"? I get the feeling that perhaps it is not! It is your site, you are writing the thing, so it's trusted. Your visitors need to trust you, too.
Now, in order for an attacker to hurt your visitors, they would need to get access to the file system via the web server somehow.
Do you feel that the situation changes when there's a service like Oddmu that generates the HTML based on Markdown?
I guess the source remains the same, you're writing the Markdown, therefore the HTML, and so on. But now the attack surface is larger: attackers can attack either the web server (the reverse proxy in front) or the service itself (in the backend). I don't run the service in a "demilitarized zone" (DMZ) – what a word! – so there's that.
The reason I'm wondering about all that is because I wonder whether I need to sanitize the output of the Markdown to HTML conversion using a library like bluemonday.
bluemonday takes untrusted user generated content as an input, and will return HTML that has been sanitised against an allowlist of approved HTML elements and attributes so that you can safely include the content in your web page.
Hm. Even if Oddmu is used by a group of people, I would still assume that they trust each other. In such a context, there are no "untrusted users".
So why not take the easy route and just apply sanitization always? The reason is that I sometimes (rarely!) include SVG in my Markdown, like in 2022-06-30 How to communicate dungeon maps to players.
2022-06-30 How to communicate dungeon maps to players
Yesterday evening and this morning I spent a fair amount of time writing code that adds SVG validation to a bluemonday policy. You can take a look in issue #196. It's awful. And I suspect that the specs will keep changing over time and so I will keep running into issues. It would be much easier to just drop it.
#Oddµ #Web #SVG