Comments (4)
@punkeel Markdown parsers convert Markdown texts to HTML. Usually, they are not responsible for sanitization. There are other libraries, such as HTML Purifier, that sanitize HTML. You could such library when sanitization is necessary.
from parsedown.
You're right, and I "already" use a class for this job, but I feel like it could be Markdown's job to do it ...
For example, [Naughty link](javascript: alert(0\))
(-> [Naughty link](javascript: alert%280%29%29) is rendered as it should by Github (at least, I assume); but as it's in a code
tag, HTML purifier ignores it ...
On the other side, security and purification depends on context, and should be treated by everyone ... You're right, and I think this issue should be closed before becoming a debate. I'll stick with home-made configs, the best to do I think :)
EDIT: looks like Github strips my naughty link. Well.
from parsedown.
@punkeel Imagine you don't have Markdown inputs and Markdown parsing. Imagine you just have HTML inputs. You still need to prevent XSS attacks. In your case though the HTML is not coming directly from user input, but instead it comes out of the parser.
What GitHub most probably does is to clean up the HTML before outputting it.
If a Markdown parser strips out <script>
tags, it would not be according to the spec. Also you would not be able to generate a full HTML page with scripts and all using Markdown as a source.
from parsedown.
@hkdobrev That's right. Still, one could make a case that, since the parser already knows a lot about the input, it would be more efficient for it to do the sanitization when necessary. That should of course not be the default behavior since as you say it is not compatible with the spec.
from parsedown.
Related Issues (20)
- Maximum image size? HOT 2
- Nested Elements in the same Level
- Multi languagal HOT 1
- How to add class to list items?
- How to change the context in extensions?
- 187 ist die Gang
- Video Support HOT 1
- Bug: Uninitialized string offset: 1
- [bug] embeded <style> tag gets treated as text after the first code block
- image width HOT 1
- parsing email HOT 1
- lists not rendered properly with line()
- setSafeMode prevents multiple line breaks
- Parsedown extension to open in new window HOT 1
- Typo? `steam` -> `stream` HOT 1
- Allowing the spaces in start of lines?
- Add support for the new Github Markdown extension "Alerts"
- Strip markdown?
- I tried executing the example code in the README as is, but it did not work. HOT 1
- Syntax highlighting support? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from parsedown.