Open NoNameProvided opened 7 years ago
duplicate #243
Am I write in thinking there is is a previewRender()
hook:
previewRender: Custom function for parsing the plaintext Markdown and returning HTML. Used when user previews.
Couldn’t you use DomPurify on the preview:
previewRender: function(plainText) {
return DOMPurify.sanitize(marked.parse(plainText));
},
The reason why SimpleMDE doesn’t sanitise is because it uses Marked library for the preview:
https://github.com/markedjs/marked
I have made a little demo:
https://codepen.io/charles1971/pen/QWxLgog
Just add the following to the editor:
<img src="https://images-theconversation-com.cdn.ampproject.org/i/s/images.theconversation.com/files/395973/original/file-20210420-21-zns2o9.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=320&h=213&fit=crop&dpr=3" onClick="doSomethingMalicious();" />
Then press the preview icon and look in the pen console. You will see that the onClick
attribute has been removed! 🙏
There is no option to escape CSS or HTML tags.
Eg entering
<style> * { float: left }</style>
will render the whole content useless and there is no option to disable it.Can be tested on https://simplemde.com/