search

taufik-nurrohman / parsedown-extra-plugin

Configurable Markdown to HTML converter with Parsedown Extra.
MIT License
60 stars 13 forks source link

Feature suggestion #2

Closed whimsicaldreamer closed 7 years ago

whimsicaldreamer commented 8 years ago

Firstly, a great plugin to parsedown specially after the new commit. On using it, it struck to me what about if the image links were made to be clickable, if the user chose to?

taufik-nurrohman commented 8 years ago

What do you mean by clickable? An ability to make all images becomes wrapped by an anchor element?

whimsicaldreamer commented 8 years ago

not all images. Only those are done by ![image](http://link) and that too if the user wants.

taufik-nurrohman commented 8 years ago

Then how can we specify things to decide that an image should be clickable?

taufik-nurrohman commented 8 years ago

Try something like this:

$parser->images_attr = array(
    'onclick' => 'window.open(this.src);'
);
whimsicaldreamer commented 8 years ago

Pretty nice. But will it be secure adding onClick rather than anchor tags? I dont know much about XSS so am curious.

taufik-nurrohman commented 8 years ago

For that onclick example, is now depends on the src content. Try this markup:

![test](data:text/html,<script>alert('fail');</script>)

If it opens up a new tab with an alert contains fail then it is not safe.

whimsicaldreamer commented 8 years ago

It survives the test. :smile:

taufik-nurrohman commented 8 years ago

What about:

![test](data:text/html,%3Cscript%3Ealert('fail');%3C%2Fscript%3E)