Is filter |markdown supposed to bypass autoescape?

getgrav / grav

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony

https://getgrav.org

MIT License

14.39k stars 1.39k forks source link

Is filter |markdown supposed to bypass autoescape? #3488

Open pamtbaau opened 2 years ago

pamtbaau commented 2 years ago

When content/variable is considered save, we can use filter |raw to bypass autoescaping.

Although it has a completely different function, filter |markdown has the same effect. Is that by design or an unforeseen side-effect?

For example below snippets both show the alert when the page is rendered:

{{ '<script>alert("Hello filter raw")</script>'|raw }}
{{ '<script>alert("Hello filter markdown")</script>'|markdown }}

mahagr commented 2 years ago

The short answer is yes. Markdown allows HTML tags to be used freely without any restrictions.

pamtbaau commented 2 years ago

Thanks.

Forgot to ask: I've seen themes using {{ page.content | markdown }} instead of |raw. Does it make sense to parse again already parsed Markdown?

rhukster commented 2 years ago

Content should already be markdown processed, so that does sound redundant. However, if you have a custom field in frontmatter that contains markdown, the filter makes sense.