Call pandoc more carefully

openlibhums / pandoc_plugin

Plugin for janeway for automatic galley generation

GNU Affero General Public License v3.0

4 stars 1 forks source link

Call pandoc more carefully #4

Closed mdlincoln closed 5 years ago

mdlincoln commented 5 years ago

From the pandoc userguide

Pandoc’s parsers can exhibit pathological performance on some corner cases. It is wise to put any pandoc operations under a timeout, to avoid DOS attacks that exploit these issues. If you are using the pandoc executable, you can add the command line options +RTS -M512M -RTS (for example) to limit the heap size to 512MB.

mdlincoln commented 5 years ago

Also, immediately after that is

The HTML generated by pandoc is not guaranteed to be safe. If raw_html is enabled for the Markdown input, users can inject arbitrary HTML. Even if raw_html is disabled, users can include dangerous content in attributes for headers, spans, and code blocks. To be safe, you should run all the generated HTML through an HTML sanitizer.

Does janeway do sanitizing/escaping when displaying HTML galleys?

ajrbyers commented 5 years ago

FYI: not sure this is the master pandoc plugin repo as the switch over failed.