search

timsayshey / Ghost-Markdown-Editor

Just a responsive jquery markdown editor with instant preview.
MIT License
472 stars 59 forks source link

A little worried(; · ∀ ·) #5

Open HiroyukiNIshimura opened 10 years ago

HiroyukiNIshimura commented 10 years ago

Although I am allowed to use because it is very favorite.

But ...

<script> alert ('xss') </ script> ... From being able to run the script such as it's the OK?

HiroyukiNIshimura commented 10 years ago 
var preview = this.element.find('.rendered-markdown');

if (setting.xssok) {
    this.markdown = this.editor.getValue();
}
else {
    var stack = $('<div></div>').text(this.editor.getValue());
    this.markdown = $(stack).html();
}
this.html = this.converter.makeHtml(this.markdown);
HiroyukiNIshimura commented 10 years ago

Decent little more ideas :-)

$.widget( "b4m.ghostDown", {
    editor: null,
    markdown: null,
    html: null,
    converter: null,
    options: {
        tagRejections : null
    },
var preview = this.element.find('.rendered-markdown');
var dummy = $('<div></div>');

this.markdown = this.editor.getValue();
dummy.html(this.converter.makeHtml(this.markdown));
if (this.options.tagRejections) {
    dummy.find(this.options.tagRejections).remove();
}
this.html = dummy.html();
preview.html(this.html);

$('.editor').ghostDown({ tagRejections: 'script foo bar' });

lenisko commented 8 years ago

so... it's not committed yet?