Javascript not in code block is not encoded

hey-red / Markdown

Open source C# implementation of Markdown processor, as featured on Stack Overflow.

MIT License

134 stars 51 forks source link

Javascript not in code block is not encoded #72

Closed mmillican closed 8 years ago

mmillican commented 8 years ago

If Javascript is not in a code block, it will not be encoded, and therefore executed.

Html.Encode() the result of Markdown Sharp will essentially double-encode code that's in code blocks.

hey-red commented 8 years ago

Yes, I know about this problem. As a solution, you can disable default code encoding(add as an option?) I think the best solution to use a list of allowed tags(and attributes).

hey-red commented 8 years ago

@mmillican https://github.com/hey-red/markdownsharp/commit/3be28823b7ae6a365626bb047b5a752993389358

Markdown mark = new Markdown(new MarkdownOptions
{
        DisableEncodeCodeBlock = true
});

Nuget package has been updated.