Allow HTML mode?

[srsgores]

I would like to enable html mode, such that I may enter HTML instead of markup. How can I do this?

[johno]

I currently don't support that option, but I can add that in this weekend. Something like:

{{md-text text=myText html=true}}

Note, that I believe this won't really work with user input though, as it will be vulnerable to XSS out of the box. Only whitelisting particular tags will be a bit more difficult (but something I also seek to support via plugins #7).

[srsgores]

@johnotander, isn't that the purpose of Handlebars.SafeString?

[johno]

Yeah. Though, from my understanding, Handlebars.SafeString will encode the HTML, so Remarkable would no longer be able to handle the HTML. However, I'm not familiar with how Remarkable handles HTML, so I could be entirely incorrect.

I will look into it.

Also, I'm assuming you are referring to the html option that Remarkable provides, correct?: https://github.com/jonschlinkert/remarkable#constructor

[srsgores]

Yes.

[johno]

@srsgores I've enabled html support in #9.

It looks like using html mode for user input will be vulnerable to XSS because it will embed <script> tags, or anything else that is passed in as text. This is because the Handlebars.SafeString makes it so the HTML string is not escaped, allowing HTML to be added to the page.

At some point I might try to create a remarkable plugin that removes malicious js. But, that will be a pretty tricky undertaking...

[johno]

This should be published to npm in the next hour or so. :beers:

[johno]

Published to npm ember-remarkable@1.3.0.