Markdown Widget not sanitize content

Has your issue been reported?

• I have searched the existing issues and confirm it has not been reported.
• I give permission for members of the FlutterFlow team to access and test my project for the sole purpose of investigating this issue.

Current Behavior

Markdown Widget is introduced that in FF document.

You could use this widget in various applications like note-taking apps, forums, and blogging platforms.

For these type of user-content oriented usage, the widgets have to have functionality of sanitize before displaying.
But the widget causes crash with text data .
Common note-taking apps will sanitized that (and nothing happen).

Expected Behavior

Sanitize and don't crash.

Steps to Reproduce

1. Create text widget
2. Create Page State of String
3. Update the State with inputted text in the widget
4. Create Markdown Widget valued from No.3
5. Input into No.1

Reproducible from Blank

• The steps to reproduce above start from a blank project.

Bug Report Code (Required)

IT4wheflxItIpbxZ+KXTbcAwpCYWMjs2R+cO0u5tdCs8Guv2PbMyZM+lYldUOczjYWNYOE20gmMX/MrViPD1Nvk3FzqCf4BlwsxyaTuXIVqmVqaMEb63b3dTO+lMFVSl55iZuhFSNthhV1Fm3TuEI9isYADZHu/PPjE3MOaoXdeK2SrDX1iXc2URm05KZDPz

Context

The Markdown widget can't used for user-content oriented purpose as like FF document says.
If a malicious person posted this text, it would cause a crash in the apps of other users who viewed that content.

Visual documentation

Just before crash

After crash

Additional Info

If the lack of sanitization is a specification of the widget, then the documentation should be revised to avoid misunderstandings.

Environment

- FlutterFlow version: 4.1.34
- Platform: Web
- Browser name and version: Chrome 122.0.6261.129 (Official Build) (arm64)
- Operating system and version affected: macOS Sonoma 14.2.1

For your information,
Cheat sheet to sanitize.
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

[github-actions]

This issue is stale because it has been open for 7 days with no activity. If there are no further updates, a team member will close the issue.

[ryutosh]

This issue is stale because it has been open for 7 days with no activity. If there are no further updates, a team member will close the issue.

I understand that the FF team is in a difficult situation and it is inevitable that months go by without an issue being addressed.

However, if this is the case, could you please stop the automatic issue disappearance setting? We, the community, who take the time to describe the issue, feel as if the issue is not respected.

[leighajarett]

That's completely a fair request! We're working on making this process much smoother and hopefully everything will be ironed out in the next 2 weeks.

For now, I'm going to leave it as-is, but if we still are in a situation where we are not replying to you all within 2-3 days, then I will remove this setting. Thanks for your patience!!

[collinjackson]

This looks like a bug in an official Flutter package rather than anything specific to FlutterFlow. Generally the Markdown widget does sanitize, in the sense that it doesn't put the content into the HTML of the enclosing page when Flutter web is being used, so you don't need XSS filtering. (However, you probably should also put reasonable limits on the amount of untrusted Markdown content on the backend side.)

In this case, it wasn't gracefully handling image dimension parsing failures, leading to the error shown above.

I filed an issue flutter/flutter#146739 and fixed the issue in a PR flutter/packages#6518 for the flutter_markdown package. It's been automatically pushed to pub.dev as as flutter_markdown version 0.6.23.

The dependency won't be reflected in generated code until the next FlutterFlow release. However, in the meantime you can manually update your pubspec.yaml in your generated code.