Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support HTML whitelisting #26

Merged
merged 7 commits into from
Sep 2, 2018
Merged

Support HTML whitelisting #26

merged 7 commits into from
Sep 2, 2018

Conversation

yhatt
Copy link
Member

@yhatt yhatt commented Sep 2, 2018

This PR will extend html option to support whitelisting. This idea is a feedback from discussion in security issue on yhatt/marp#187.

At first, we have tried to sanitize by using sanitize-html package. But it does not parse a fragment HTML token of markdown-it correctly. When using sanitize-html, <b>abc</b> (tokens: ['<b>', 'abc', '</b>']) will convert to <b></b>abc (['<b></b>', 'abc', '']). The reason is that elements will close automatically by htmlparser2.end() (As same as yhatt/markdown-it-incremental-dom#34).

We will adopt js-xss to sanitize. It can sanitize HTML fragments even if passed only open or close element.

We would allow only <br> tag by default whitelist. It is useful in multi-line headings.

@yhatt yhatt merged commit 4de6894 into master Sep 2, 2018
@yhatt yhatt deleted the html-whitelist branch September 2, 2018 08:49
This was referenced Sep 5, 2018
Closed
Merged
@yhatt yhatt mentioned this pull request Dec 13, 2018
Closed
@yhatt yhatt mentioned this pull request Jan 6, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@yhatt