svelte-markdown icon indicating copy to clipboard operation
svelte-markdown copied to clipboard

Published 20 hours ago verified publisher icon pablo-abc

[Security] When is {@html ...} used?

Open elimisteve opened this issue 3 years ago • 2 comments

From the README:

Just like with React Markdown, this package doesn't use {@html ...} unless you need to render HTML.

What does this mean? Obviously the whole point is rendering Markdown source to HTML, so does that mean that {@html ...} is often used, and therefore we must sanitize user input some other way?

Thanks!

elimisteve avatar Feb 26 '22 05:02 elimisteve

The only moment {@html ...} is used is when your markdown contains HTML. This package turns markdown into components (which eventually will be turned into HTML by Svelte).

There's a slight issue due to how @html works on Svelte. A paragraph needs to be either markdown or HTML. You can't mix both. For example this works:

This is a **markdown** paragraph

<p>This is an <strong>HTML</strong> paragraph</p>

In this case the second paragraph will be rendered using {@html ...}. The first paragraph won't.

This does not work:

This <em>will</em> not _work_.

pablo-abc avatar Feb 27 '22 00:02 pablo-abc

If you are consirned about {@html ...} you can remove it from the whole svelte-markdown manually by including custom html renderer:

<script>
  export let text;
</script>

{text}

This will remove unwanted behaivour "if html, render it".

ZerdoX-x avatar Jun 19 '22 05:06 ZerdoX-x