search

kzykhys / Ciconia

A New Markdown parser for PHP5.4
http://ciconia.kzykhys.com/
MIT License
355 stars 31 forks source link

Escaping raw HTML #32

Open Gargron opened 10 years ago

Gargron commented 10 years ago

Hello!

I tried removing the htmlBlock extension, but raw HTML is still allowed. I can't find any option to disable it. That's fine for command-line usage where you control the inputs, but if you want to parse Markdown on a site with user-generated content, allowing raw HTML is a hazard.

Where and how could this be done?

Cheers, Eugen

kzykhys commented 10 years ago

There is no option to disable raw HTML.

I will add options (or an extension) for it. Thank you for your feedback :)

tomsommer commented 9 years ago

Any news on this?

Go to http://ciconia.kzykhys.com/ and enter 

<script>alert('oh no');</script>

Obviously only tags outside the code blocks should be stripped or converted (as here on github).