Closed srsgores closed 9 years ago
I currently don't support that option, but I can add that in this weekend. Something like:
{{md-text text=myText html=true}}
Note, that I believe this won't really work with user input though, as it will be vulnerable to XSS out of the box. Only whitelisting particular tags will be a bit more difficult (but something I also seek to support via plugins #7).
@johnotander, isn't that the purpose of Handlebars.SafeString
?
Yeah. Though, from my understanding, Handlebars.SafeString will encode the HTML, so Remarkable would no longer be able to handle the HTML. However, I'm not familiar with how Remarkable handles HTML, so I could be entirely incorrect.
I will look into it.
Also, I'm assuming you are referring to the html
option that Remarkable provides, correct?: https://github.com/jonschlinkert/remarkable#constructor
Yes.
@srsgores I've enabled html
support in #9.
It looks like using html
mode for user input will be vulnerable to XSS because it will embed <script>
tags, or anything else that is passed in as text. This is because the Handlebars.SafeString
makes it so the HTML string is not escaped, allowing HTML to be added to the page.
At some point I might try to create a remarkable plugin that removes malicious js. But, that will be a pretty tricky undertaking...
This should be published to npm in the next hour or so. :beers:
Published to npm ember-remarkable@1.3.0
.
I would like to enable
html
mode, such that I may enter HTML instead of markup. How can I do this?