Alexander Makarov
Alexander Makarov
Please re-read markdown specification. It says explicitly that it allows any HTML by design and it's unsafe by definition to allow users to enter markdown w/o further escaping/cleanup.
It's not the job of the markdown parser to escape/cleanup output.
https://michelf.ca/blog/2010/markdown-and-xss/
> The point of a parser is to render the data in a safe way. No since it's a markdown parser and markdown wasn't meant to be safe. > You're...
@cebe I think security topic should be emphasized in readme pointing to HTMLPurifier.
It's not CommonMark http://commonmark.org/
There should be a way to configure parsers i.e. one may use github + smartypants.
@samwilson none that I'm aware of. @cebe?
As far as I'm aware, there's no such feature yet.
Looks OK. @cebe how about merging it?