Security Considerations of Markdown in an Blazor WASM
-
Morning everyone, less a question but more a discussion. I am tasked to create a Blazor page we will use to track our RSS or Atom Feeds of interest, which we check regularly and validate if anything related to our work is posted. I was thinking about displaying the feed contents as markup string, so you'll also be able to read the article directly within the app instead of navigating to the website. The feed will only be displayed, the data to be stored is detached from the display and will only track if someone of the team has read and validated that article. But i am a bit unsure if that would be a good apprach, with markdown for the display the app would be vulnerable for XSS, but on the other hand if the feed was malicious and the collegue naviagates to the article the XSS could trigger on the corresponding page then. Am i a bit too cautious on that topic or would you as well only provide a link to the article? I feel it would be neat if you could read the article directly in that app but i am afraid it may cause a security issue. As a side note i also must admit that we are ordered to limit our usage of 3rd party libs, which would probably help on sanitising the feed contents, although, as written above there is always the option to navigate to the article which just "outsources" the problem. Thanks for your answers in advance.
MessageBox.Show(!string.IsNullOrWhiteSpace(_signature)
? $"This is my signature:{Environment.NewLine}{_signature}": "404-Signature not found");