Open HermanMartinus opened 2 years ago
I should probably have added an update here, but that is true. I spoke with GitHub's maintainer of cmarkgfm and got the change (safe by default) into their upstream project. Then we talked with CommonMark maintainers and eventually we managed to get it changed in all of CommonMark. So all recently updated markdown renderers based on CommonMark or their derivates should nowadays be safe by default and not exhibit any XSS-problems.
My library still adds bleach, for additional security, in case another vulnerability in markdown appears. But I'm not sure if it's worth to maintain a whole library for that purpose. If it's desired I'll update safemd but I've mainly kept it up for people still dependant on older versions of cmark/cmarkgfm.
👍 I'll just use CommonMark (new project and all), just thought you'd like to know :)
It looks like Github's
cmarkgfm
has changed the optionCMARK_OPT_SAFE
potentially to the inverseCMARK_OPT_UNSAFE
. When running asCMARK_OPT_DEFAULT
XSS issues are still prevalent.On running
safemd.render(content)
the following error occurstype object 'Options' has no attribute 'CMARK_OPT_SAFE'
.