Comments (4)
tivie
commented on May 18, 2024
This is a necro issue, but I got the time to play around with showdown and XSS.
In short, my conclusion is that you can't really prevent XSS attacks with markdown and claiming to do so will probably give some sense of false security, which is worse.
The 2 rules of thumb are:
- filter for XSS after Showdown has processed any input, not before
- preferably server side, not client side
This excellent post by Michael Fortin provices more in-depth explanation
from showdown.
JakobKallin
commented on May 18, 2024
Correct. As I wrote in my original comment, Markdown already allows markup injection by design, so this doesn't introduce any (unintended) security issues. It's still a defect, though, causing invalid markup to be generated in some cases. To avoid it, URLs should be HTML-escaped before being inserted between attribute quotes.
from showdown.
tivie
commented on May 18, 2024
@JakobKallin I agree. The problem is assuring that by URL encoding, well, URLs, we won't break the parser. I will look into it.
from showdown.
JakobKallin
commented on May 18, 2024
Also keep in mind the difference between URL encoding and HTML escaping (neither of which has a standardized name as far as I know): URL encoding replaces characters that are not allowed in URLs, while HTML escaping replaces characters with special meaning in HTML. While I think both would work fine here in practice, HTML escaping is the correct one in this context.
from showdown.
Related Issues (20)
- Nonstandard HTML comment endings
- Error in parsing H tag with space before #
- Tables rendering wrong when in a list
- Bad <br> conversions from MD to HTML to MD HOT 1
- Bold text breaks if it starts or ends with a space
- Showdown fails to parse anything inside a div or span? HOT 2
- Reporting a vulnerability
- makeMarkdown need an extension
- Handling Streaming Data HOT 1
- superscript and subscript not working HOT 1
- Data Science ANnd Machine Learning
- Error in parsing hashtag at start of line
- Issues installing this package with React version >= 17 HOT 1
- Option `parseImgDimensions` is actually `true` by default despite doc, and also, when `false` still behaves as if `true` HOT 2
- URL not converting properly
- Links without protocol are threated as links, but behave as path
- Strikethroughs won't render. HOT 2
- showdownJS Domain expired HOT 1
- NPM installation browser support HOT 2
- [Suggestion] Markdown to array of objects
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from showdown.