Pegdown escapes HTML in code blocks, but not in other output. If I want to protect myself against XSS, I have to escape the input for pegdown manually, this however results in code blocks being escaped twice, resulting in wrong output.
I am looking for an option to either disable escaping for code blocks - and doing escaping myself, or an option to enable HTML escaping for all elements (which I think should have been default).
Pegdown escapes HTML in code blocks, but not in other output. If I want to protect myself against XSS, I have to escape the input for pegdown manually, this however results in code blocks being escaped twice, resulting in wrong output.
I am looking for an option to either disable escaping for code blocks - and doing escaping myself, or an option to enable HTML escaping for all elements (which I think should have been default).