DR: Sanitize project markdown to prevent Liquid Injection attacks

This is a record in the Decision Records on Solutions Not Implemented.

Issue

Problem Statement

Sanitizing project data by escaping HTML tags in the imported markdown for each project to prevent Liquid Injection attacks.

Potential Solution

Refactoring the project loading code in assets/js/current-projects.js to use regular expressions to escape HTML special characters before parsing the YAML into a JSON object rather than using liquid objects.

Feasibility Determination

It was decided that since some projects use HTML tags in their descriptions (namely line breaks) and since any malicious code added to a project's markdown file would have to be added by someone with access to the entire codebase anyway, this issue would not provide enough of a security benefit to be worth the restrictions it would place on project descriptions.

Home

Click the arrow below each category to view links (or view original alphabetical list by clicking "Pages" above) :

Onboarding

Onboarding Links

Joining the HfLA Team
Introduction to the Project
Meet the Team
Being Part of the HfLA Dev Team
Contributing to the Website Repository
Project Terminology
On Github Security Updates

Site Architecture

Site Architecture Links

How To:

'How To' Article Links

Contribute to the Website Repository
Work off a Feature Branch
Create a New Website Page
Add Status Labels to Issues
Remove Files from a Pull Request
Review Pull Requests
Get a Repo ID for a New Project
Add Local User Accounts to Docker on Win10
Use Git GUI in VS Code

File Templates

File Template Links

Roles

Roles Links

Tools and Resources

Tools and Resources Links

Resource List
WCAG 2.0 Compliance Checkers

Marketing and Analytics

Marketing and Analytics Links

Provide feedback

Saved searches

Use saved searches to filter your results more quickly