Marp Core now becomes to allow a lot of HTML elements and attributes by default, that are considered as safe. The allowlist covers some mentioned elements and attributes in the feedback thread https://github.com/orgs/marp-team/discussions/501.
href, src, and similar attributes include URL schema checking. By default, non-http and https schemes are always sanitized. If the attribute may allow an image, data:image/* is also allowed.
Elements and attributes that have too much power, such as <script>, <link> element, on***, and style attribute, are still not allowed by default. The developer can enable them through html: true constructor option as before.
[!TIP]
To get back into the previous allowlist compliant with Marp Core v3, set html constructor option as html: { br: [] }. That only allows <br> tag.
Resolves #301, #368.
Marp Core now becomes to allow a lot of HTML elements and attributes by default, that are considered as safe. The allowlist covers some mentioned elements and attributes in the feedback thread https://github.com/orgs/marp-team/discussions/501.
href,src, and similar attributes include URL schema checking. By default, non-http and https schemes are always sanitized. If the attribute may allow an image,data:image/*is also allowed.Elements and attributes that have too much power, such as
<script>,<link>element,on***, andstyleattribute, are still not allowed by default. The developer can enable them throughhtml: trueconstructor option as before.