hexo-starter
hexo-starter copied to clipboard
hexojs
Switch to markdown-it
and update other plugins
Following security issue on hexo-renderer-marked: https://github.com/hexojs/hexo-renderer-marked/pull/210
I think maybe no problem if we switch the default markdown parser from marked to markdown-it. But, I want to know other maintainers' opinions. They may come up with some problems or issues.
Understood. The main reason is that marked has some security issues that markdown-it does not have.
There is no sanitizer in marked. You have to add it on top. But by default, markdown-it is safe
I think maybe no problem if we switch the default markdown parser from marked to markdown-it. But, I want to know other maintainers' opinions. They may come up with some problems or issues.
Personally, I prefer hexo-renderer-marked. The benchmark between hexo-renderer-markdown-it and hexo-renderer-marked is probably outdated (At least in my case, it is faster than hexo-renderer-markdown-it).
Also, we need to compare the differences between the output from hexo-renderer-marked and the output from hexo-renderer-markdown-it, to see if it is potentially a breaking change that breaks new users (especially with existing themes). And if there is any, we should defer it to Hexo 7.0.0.
That's to say, I am not against hexo-renderer-markdown-it, but more tests and preparations need to be done.
There is one. https://github.com/hexojs/hexo-renderer-marked#options
Autolink in marked will convert full url while the same feature in markdown-it will also convert urls without scheme