Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escaping raw HTML #32

Open
Gargron opened this issue Feb 12, 2014 · 2 comments
Open

Escaping raw HTML #32

Gargron opened this issue Feb 12, 2014 · 2 comments
Assignees
@kzykhys
Labels
1.0

Comments

@Gargron
Copy link

Gargron commented Feb 12, 2014

Hello!

I tried removing the htmlBlock extension, but raw HTML is still allowed. I can't find any option to disable it. That's fine for command-line usage where you control the inputs, but if you want to parse Markdown on a site with user-generated content, allowing raw HTML is a hazard.

Where and how could this be done?

Cheers,
Eugen
@kzykhys kzykhys self-assigned this Feb 13, 2014
@kzykhys
Copy link
Owner

kzykhys commented Feb 13, 2014

There is no option to disable raw HTML.

I will add options (or an extension) for it. Thank you for your feedback :)

@kzykhys kzykhys added the 1.0 label Feb 13, 2014
@tomsommer
Copy link

Any news on this?

Go to http://ciconia.kzykhys.com/ and enter

<script>alert('oh no');</script>

Obviously only tags outside the code blocks should be stripped or converted (as here on github).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzykhys kzykhys

Labels
1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomsommer @Gargron @kzykhys