-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Security
This is the landing page Highlight.js links to when it detects a potential XSS attack vector. In your web console you'll see:
One of your code blocks includes unescaped HTML. This is a potentially serious security risk.
https://github.com/highlightjs/highlight.js/wiki/security
[<HTML element in question>]
This warning indicates that a code block on your page contains unescaped HTML:
<pre><code class="language-html">
<h1>This is a header</h1>
</code></pre>
See the h1
tags above. This is not correct.
Actual HTML code (that you're trying to highlight) inside code blocks should be properly escaped:
<pre><code class="lang-html">
<h1>This is a header</h1>
</code></pre>
Here the <
and >
have been replaced with their HTML safe equivalents.
Reference:
- https://github.com/highlightjs/highlight.js/issues/2886
- https://www.acunetix.com/blog/articles/preventing-xss-attacks/
Unescaped HTML can lead to security vulnerabilities in the form of XSS attacks - someone sneaking their HTML (or JavaScript) inside your own - and then doing who knows what manner of mischief.
Remove all unescaped HTML from all your pre/code
blocks.
Yes, our documentation explains how - but this is not something most users should do - and if there is a legitimate security vulnerability just turning off the warning doesn't resolve the vulnerability.
We won't support this in Core. Actual (intentional) HTML inside of code
blocks (which is valid in the HTML spec) is simply not something we support because far too easy to shoot yourself in the foot with it. This type of support (for the small number who need it) can easily be added via a plugin. If someone is willing to bring the old HTML merge plugin up-to-date and maintain and support it, they are free to do so. The plugin hook you are looking for is before:highlightElement
.