md.js
md.js copied to clipboard
The issue with eventsFilterRegExp
I like this lib - offering a lightweight option for markdown. Good job :-) Though I discovered a minor issue and I do have suggestion for a solution. When testing the lib with "Lorem ipsum" text, I discovered that any string passed in, containing both HTML and the combination of the characters "on", causes malformed output of HTML passed. Example:
md(`<div>Consectetur <b class="foo">bar</b></div>`);
// will result in:
// <div>C"foo">bar</b></div>
I understand the regular expression "eventsFilterRegExp" is gatekeeper for "XSS vulnerabilities" - though the issue can be solved with the following regular expression - and still continue performing its "XSS duties" :-)
/(<[^]+?)(\bon\w+=.*?)(.*>)/gm
// the \b will make sure to look for a wordbreak character
// the \w+ will look for a word starting with and contains alphabetical characters
I just started testing this library very recently and I am humble enough to admit that you know best the in's and out's of the code. For my purposes the solution works fine - just passing on my "five cents" regarding the problem.
Best regards
Sure, send this as PR with the change.