> Also, it may be a good idea to sanitize the comment.body_html. That seems XSS abuseable.
GitHub handles sanitizing comment HTML automatically. They use a fairly strict[1] whitelist of tags/attributes that are allowed through. Anything that's not allowed gets escaped.
GitHub handles sanitizing comment HTML automatically. They use a fairly strict[1] whitelist of tags/attributes that are allowed through. Anything that's not allowed gets escaped.