Defaults to true, while false <p></p> (i.e.) should be vieweed as <p></p>
I hope you understand, thanks!
I'm not sure if I understand what you're looking for.
What I meant, I don't want to allow user to use HTML elements.
This is a example :
# Header
<button> HI </buttton>
I don't want to allow user to use elements like button, forms.
Markdown, by it's nature, supports HTML. SimpleMDE will not be changing this. You'll need to write code on your end if you want to disable HTML.
Actually I don't agree with you, this is a bug of your MD script, try it.
If you added a button in your MD it will result in a button.
If you added a button in GitHub, it will result into a
element.
I already solved it by an easy editing the code!
And it doesn't matter to me you will fix or not ( as you added wontfix label ).
GitHub comments not allowing HTML tags is a separate issue that is not related to the use of Markdown formatting. Markdown supports inline HTML (Markdown is intended to extend, not replace, HTML), so a Markdown editor's expected behaviour is to support the use of all HTML tags.
Well done on solving the issue with your exact use case of SimpleMDE.
I think this should be reopened. Having html be parsed is actually a huge security issue, and even if I really love MDE and I've been using it for a while, I think I will need to switch to something else because of this.
Even if it running JS is maybe not a problem, it still runs all the css fed into it. If you put this in the editor:
<style>body { background-color: green }</style>
then open the side-by-side preview and close that, the css will already affect the whole page, even if the html that ends up being sent to the server might be different. With css you can make buttons say what they shouldn't say, move things around, or not enable a user to do something, which itself is very very bad, even when just editing and checking using the native side-by-side comparison.
I understand that Makrdown is supposed to extend, not replace, but I do think it would be really nice to have that switch available for the developers who might want it disabled
The issue can be solved by wrapping the result.
not in the preview.
And I just noticed you can use a previewRender option, and you can wrap what you need there around SimpleMDE.prototype.markdown, but it feels really messy, and honestly I think we wouldn't suffer if we had a html flag.
This is my current workaround anyway:
SimpleMDE.prototype._markdown = SimpleMDE.prototype.markdown;
SimpleMDE.prototype.markdown = function( text ) {
let newText = text.split(''),
curorPos = this.simple
let inCode = false;
for( let i = 0; i < text.length; ++i ) {
let char = text[ i ];
// this actually works because the number of ticks is always odd
if( char === '`' )
inCode = !inCode;
if( char === '<' && !inCode )
newText[ i ] = '<';
}
var next = this._markdown( newText.join('') );
return next;
}
oh wait, don't use that. If a comment hasn't been finished, marked will parse the backticks as normal characters, but my code will still think it's monospaced...
This works:
// don't parse html
SimpleMDE.prototype._markdown = SimpleMDE.prototype.markdown;
SimpleMDE.prototype.markdown = function( text ) {
let newText = text.split(''),
curorPos = this.simple
let inCode = false;
for( let i = 0; i < text.length; ++i ) {
let char = text[ i ];
// this actually works because the number of ticks is always odd
if( char === '`' && text.lastIndexOf( '`' ) !== i )
inCode = !inCode;
if( char === '<' && !inCode )
newText[ i ] = '<';
}
var next = this._markdown( newText.join('') );
return next;
}
actually that doesn't work either ( backtick backtick <div> still renders the div ). I'll figure it out and stop writing here
DEFINITE FIX:
// get marked instance in any way
import marked from 'marked'
// set sanitize option, to just make it ignore html input
marked.setOptions({ sanitize: true });
Hello,
I tried an XSS query in simple MDE, By creating a link as following.
[XSS](javascript:alert%28sessionStorage.clear%28%29%29)
This converted into a link, that clears users sessionStorage.
Is there any way to sanitize these sort of links ?
Most helpful comment
Hello,
I tried an XSS query in simple MDE, By creating a link as following.
[XSS](javascript:alert%28sessionStorage.clear%28%29%29)This converted into a link, that clears users sessionStorage.
Is there any way to sanitize these sort of links ?