CMARK_OPT_SAFE does not exist anymore

[HermanMartinus]

It looks like Github's cmarkgfm has changed the option CMARK_OPT_SAFE potentially to the inverse CMARK_OPT_UNSAFE. When running as CMARK_OPT_DEFAULT XSS issues are still prevalent.

On running safemd.render(content) the following error occurs type object 'Options' has no attribute 'CMARK_OPT_SAFE'.

[Hultner]

I should probably have added an update here, but that is true. I spoke with GitHub's maintainer of cmarkgfm and got the change (safe by default) into their upstream project. Then we talked with CommonMark maintainers and eventually we managed to get it changed in all of CommonMark. So all recently updated markdown renderers based on CommonMark or their derivates should nowadays be safe by default and not exhibit any XSS-problems.

My library still adds bleach, for additional security, in case another vulnerability in markdown appears. But I'm not sure if it's worth to maintain a whole library for that purpose. If it's desired I'll update safemd but I've mainly kept it up for people still dependant on older versions of cmark/cmarkgfm.

[HermanMartinus]

👍 I'll just use CommonMark (new project and all), just thought you'd like to know :)