sparksuite / simplemde-markdown-editor

A simple, beautiful, and embeddable JavaScript Markdown editor. Delightful editing for beginners and experts alike. Features built-in autosaving and spell checking.
https://simplemde.com
MIT License
9.93k stars 1.12k forks source link

No option to sanitize input #624

Open NoNameProvided opened 7 years ago

NoNameProvided commented 7 years ago

There is no option to escape CSS or HTML tags.

Eg entering<style> * { float: left }</style> will render the whole content useless and there is no option to disable it.

Can be tested on https://simplemde.com/

F-loat commented 7 years ago

duplicate #243

charlesr1971 commented 2 years ago

Am I write in thinking there is is a previewRender() hook:

previewRender: Custom function for parsing the plaintext Markdown and returning HTML. Used when user previews.

Couldn’t you use DomPurify on the preview:

previewRender: function(plainText) {
    return DOMPurify.sanitize(marked.parse(plainText));
},

The reason why SimpleMDE doesn’t sanitise is because it uses Marked library for the preview:

https://github.com/markedjs/marked

I have made a little demo:

https://codepen.io/charles1971/pen/QWxLgog

Just add the following to the editor:

<img src="https://images-theconversation-com.cdn.ampproject.org/i/s/images.theconversation.com/files/395973/original/file-20210420-21-zns2o9.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=320&h=213&fit=crop&dpr=3" onClick="doSomethingMalicious();" />

Then press the preview icon and look in the pen console. You will see that the onClick attribute has been removed! 🙏