Add an option to escape HTML #182
Comments
|
If I strip the word "dangerous" from my initial comment and edit the examples to be less security related, will you re-open this? Seriously, my main concern was the following usecase:
So |
|
Sure, seems a valid enhancement when not used as a security feature. From the top of my head i think this can actually be implemented as an extension. |
|
I gave this a shot and created an extension to do just that: https://github.com/phw/showdown-htmlescape The difficult part is to ignore all those parts that will do their own HTML escaping (code blocks and inline code). But so far it is working fine, even with code blocks inside block quotes. |
|
@phw Thanks for your contribution. As far as I can tell, it's working fine. We're also planning on adding a new event system to showdown that might actually help you simplify your code. I will let you know when it's ready to release. |
Currently showdown will happily accept all HTML and in addition parse the markdown. The result contains both the original HTML and the result from markdown interpretation. As the input might contain potentially dangerous code (such as
<script>) it would be nice to have the option that showdown escapes all existing HTML.Example:
Expected output:
Actual output:
To fix this I could just escape the HTML before passing it to showdown, but this breaks code blocks (which do escape the HTML). So if I call:
I get this output (note the double encoding):
What would solve this is an option that either turns on the escaping in all parts of showdown or just disables the escaping inside the code blocks and let the user do the escaping earlier.
See also discussion on showdownjs/ng-showdown#17
The text was updated successfully, but these errors were encountered: