Closed Piwy-dev closed 8 months ago
Due to our stance on security, we have no plans to work for that.
Marp Core is designed as an open-ended library used by a wide range of developers. Thus, its default settings should offer maximum protection from security threats arising from Markdown content, such as <script>
tags and on****
event attributes on any tags. This aligns with the philosophy of the markdown-it
parser, which Marp and Marpit depend on.
Many people don't understand that markdown format does not care much about security. ...
- Don't enable HTML. Extend markup features with plugins. We think it's the best choice and use it by default.
- That's ok for 99% of user needs.
- Output will be safe without sanitizer.
— https://github.com/markdown-it/markdown-it/blob/master/docs/security.md
However, it is a fact that enabling HTML tags has become a common practice across various Marp tools due to its convenience, despite the vulnerabilities to malicious Markdown + HTML.
We have already seen this as a problem. Marp Core has a long pinned issue #301, to collect a list of commonly used HTML tags and attributes from the Marp community.
We want to find out a default HTML safelist, that is suitable and secure for every Marp user. So we also want more feedbacks from much more users for #301. If the default HTML safelist was provided, most users would not need to enable HTML tags explicitly.
FYI: If possible, tell us which HTML tags are you using in Marp slide to move things toward this issue. marp-team/marp#501
I'm been trying to use "div" to make mermaid work in marp-core.
Right now by default the option
Enable HTML
is set to false. I think it would be best to set it to true by default as many users will use HTML to enhance their presentation (images, styling...).Also this force user to use the
--html
option when exporting their project witch can be confusing because ones could think this option is for building in html format not allowing html in the markdown. Having toEnable HTML
option set on true by default would prevent this and would also prevent user having to research why there html content are not being displayed when rendering the exports.An option
--no-html
could be added instead for users that don't want to render html content when exporting.