Security Feature Request: placeholders which explicitly prevent markdown injection

[furnivall]

Hi there,
At current, placeholders are able to be transformed into markdown if they are populated as such.

e.g. if you send [link](dodgy-link here) into ((your-placeholder-here)) it will render in your email.

This presents a compelling opportunity for an adversarial attacker to utilise gov notify's relative respectability as a phishing vector which both appears legitimate and gets through spam filters.

A potential suggestion would be to have specific fields that are populated in user input denoted within the template using some type of new syntax (e.g. ({safe-placeholder})) which gives protection at the template level.

Gov notify could then choose to not send that email, throw an error or even alert the responsible template holder.

It would also allow your team to spot adversarial behaviour patterns via logging.

Hope this is helpful.

[quis]

Hi @furnivall, thanks for writing this up.

It’s not documented, but you can use the code syntax in Markdown to effectively mark a block of text as ‘unsafe’.

For example

```
hello [link](dodgy-link here)
```

will render as-is, without the link being converted to HTML. We are probably going to document this explicitly and make sure it continues to be supported in the future.

You would still need to escape the content if you wanted to put it inside some other Markdown, for example a heading:

# Hello ((name))

[furnivall]

@quis - that's a great wee solution. If you could let me know when the documentation change happens I'd be grateful for informing the non-techies!