Describe the feature
I want to be able to disable rendering of some html tags (mainly<script> and/or <iframe>). Something similar GitHub do in its Markdown.
Why is this feature necessary?
Mainly for security reasons, becuase user can make code with viurs or page with virus. But also it is good to disable some features, such as <button>, <canvas> or <video>
Describe alternatives you've considered
I maybe can make some PhP function that will deltes everything between these tags, but I have no idea how to do it.
Maratonec
All 4 comments
marked is focused on converting markdown to html. There are other libraries focused on making html safe to display. You can run the html through something like dompurify
UziTech
on 6 Jun 2020
Thanks!
Maratonec
on 8 Jun 2020
But, I save in database markdown. Does it not ruin the markdown?
Maratonec
on 8 Jun 2020
Does it not ruin the markdown?
If you configure dompurify correctly it shouldn't ruin the output.
The problem with disabling certain html tags inside marked is that it still wouldn't be secure. Unless marked were focused on making sure it was 100% secure it still wouldn't be safe to output html that was user generated, and it wouldn't be any better than using a different library.
Here is a list from OWASP of ways a malicious actor could inject xss:
https://owasp.org/www-community/xss-filter-evasion-cheatsheet
UziTech
on 8 Jun 2020
Related issues
UziTech
路
4Comments
zoe-cjf
路
3Comments
FireflyAndStars
路
3Comments
pigtooter
路
4Comments
cusalvi
路
3Comments
Most helpful comment
marked is focused on converting markdown to html. There are other libraries focused on making html safe to display. You can run the html through something like dompurify