Security ? about parsedown HOT 4 CLOSED

@punkeel Markdown parsers convert Markdown texts to HTML. Usually, they are not responsible for sanitization. There are other libraries, such as HTML Purifier, that sanitize HTML. You could such library when sanitization is necessary.

from parsedown.

You're right, and I "already" use a class for this job, but I feel like it could be Markdown's job to do it ...

For example, [Naughty link](javascript: alert(0\)) (-> [Naughty link](javascript: alert%280%29%29) is rendered as it should by Github (at least, I assume); but as it's in a code tag, HTML purifier ignores it ...

On the other side, security and purification depends on context, and should be treated by everyone ... You're right, and I think this issue should be closed before becoming a debate. I'll stick with home-made configs, the best to do I think :)

EDIT: looks like Github strips my naughty link. Well.

from parsedown.

@punkeel Imagine you don't have Markdown inputs and Markdown parsing. Imagine you just have HTML inputs. You still need to prevent XSS attacks. In your case though the HTML is not coming directly from user input, but instead it comes out of the parser.

What GitHub most probably does is to clean up the HTML before outputting it.

If a Markdown parser strips out <script> tags, it would not be according to the spec. Also you would not be able to generate a full HTML page with scripts and all using Markdown as a source.

from parsedown.

@hkdobrev That's right. Still, one could make a case that, since the parser already knows a lot about the input, it would be more efficient for it to do the sanitization when necessary. That should of course not be the default behavior since as you say it is not compatible with the spec.

from parsedown.