by 0xAlchemist
0xAlchemist raised a security concern about potential XSS vulnerabilities in rendering discussions on Supabase pages. The user outlined a trust chain involving user input from GitHub, processing through MDX, and final rendering on Supabase pages. They seek guidance on safe testing procedures.
Hi @Supabase team,
Im submitting this as a security inquiry regarding potential XSS risks in the way Changelog content (and other pages rendering discussions) is displayed. I want to ensure responsible testing and would like guidance on how to proceed safely
For context, here’s the trust chain I’m examining:
User input: a GitHub user submits Markdown content via a discussion
GitHub API: the discussion content is fetched; GitHub sanitizes some content but returns Markdown/HTML
MDX pipeline: Supabase uses mdxSerialize -> MDXRemote to render the content
Page output (sink): the rendered content appears on supabase.com pages like the Changelog or blog posts
This forms a trust chain: external input flows through several layers before being rendered in the browser so a vulnerability here could be exploited if any layer fails to properly sanitize or escape content
I’d like to understand if this flow has been considered and whether there’s a safe environment where I can test it responsibly
Thank you for your guidance!
Would cloning the Supabase Github repo locally help?