Twig
Twig copied to clipboard
[question] How to pass options to Parsedown using the new markdown filters?
For example, to prevent XSS, I would use this:
$Parsedown->setSafeMode(true);
Source: https://github.com/erusev/parsedown#security
But using the markdown_to_html
filter, I don't see how would I use it.
Yes, I can produce a XSS by inserting a script into the markdown code being converted to html, and I'm not using the raw
filter
The MarkdownRuntime accept a converter implementing MarkdownInterface. And if you look at the ErusevMarkdown
implementation of that interface, you'll see that it allows passing an instance of Parsedown in case you want to use a non-default config.
@fabpot it looks like TwigExtraBundle does not allow configuring this though, making harder to benefit from this.
What do you suggest I do until that is possible? Create my own markdown2html
Twig extension? I think that's how it's done in Symfony Demo.
As this option is basically the auto-escaping of markdown, wouldn't it make sense to enable it by default so that it has to be explicitly disabled?
Being insecure by default is one of the things Twig gloriously fixed with outputting escaped (HTML/etc) code by default.
@stof wdyt?
I have enabled safe mode by implementing my own converter class:
<?php
namespace App\Twig;
use Parsedown;
use Twig\Extra\Markdown\MarkdownInterface;
class Markdown implements MarkdownInterface
{
private Parsedown $converter;
public function __construct()
{
$this->converter = new Parsedown();
$this->converter->setSafeMode(true);
}
public function convert(string $body): string
{
return $this->converter->text($body);
}
}
…and then overridden the existing one:
services:
twig.markdown.default:
class: 'App\Twig\Markdown'