rixx
commented
7 years ago Should involve a list of allowed HTML elements and sending everything through bleach.
Open rashfael opened 7 years ago
rixx
commented
7 years ago Should involve a list of allowed HTML elements and sending everything through bleach.
rashfael
commented
7 years ago Disallowing raw html in markdown should be enough.
rixx
commented
7 years ago It's not that easy, no. Markdown in itself permits HTML (as it is a superset of HTML), and therefore most HTML parsers don't have an option to disable html input entirely. But since user submitted data that is displayed to other users as HTML should be bleached regardless, it's no extra work. Just wanted to make sure we don't forget about this.
rashfael
commented
7 years ago What markdown parser would you be using? Marked for example has a "sanitize" option that ignores any source html.
To allow for formatting and clickable links, parse the event description as markdown.