Closed Ajedi32 closed 8 years ago
Eh, I think I'm actually going to hold off on this for now, mainly because I'm not sure how a system to make Metalsmith safe to use on untrusted site data would even work in the first place.
If the untrusted site has control of the metalsmith.json
file, it could simply set the eval
option on this plugin, rendering the currently proposed implementation useless. And if they don't have control of the metalsmith.json
file, then you don't need this option at all; just don't enable the executable metadata formats and you should be safe.
Basically a way to make the plugin safe to use on untrusted site data.