Option to turn off all JS put into editor

OscarGodson / EpicEditor

EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser with anything you throw at it.

http://epiceditor.com

MIT License

4.25k stars 334 forks source link

Option to turn off all JS put into editor #351

Open duguying opened 9 years ago

duguying commented 9 years ago

#EpicEditor
This is some default content. Go ahead, _change me_.
<img src="./" onerror="alert('hack')">

OscarGodson commented 9 years ago

EpicEditor has never stripped this stuff because some people want to use JS in there. For example, they want to make something like JSBin with EpicEditor. Maybe turning off all embedded JS should be an option tho?

duguying commented 9 years ago

yes, i think maybe an option should be there to

turning off all embedded JS

OscarGodson commented 9 years ago

Reopening so someone can make this an option. Going to update the title a bit tho

duguying commented 9 years ago

ok, thanks

massar commented 9 years ago

One would effectively need something like https://github.com/microcosm-cc/bluemonday for this but then in Javascript to do it properly.

Seems somebody did a cross compile: https://github.com/mdp/bluemonday-js/ though that is NMP and quite heavy....

If the user or a tool does add text that includes javascript you have lost already: the user can do it anyway, no way to stop it and a tool that already can insert javascript already owns the browser.