mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

More consistent code blocks in readme

Browse Source
This commit is contained in:
Emanuil Rusev 2018-12-28 12:50:30 +02:00 committed by GitHub
parent 48a2fb26fe
commit 4c2d79fc6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -60,9 +60,7 @@ Parsedown is capable of escaping user-input within the HTML that it generates. A
To tell Parsedown that it is processing untrusted user-input, use the following: To tell Parsedown that it is processing untrusted user-input, use the following:
```php ```php
$parsedown = new Parsedown; $Parsedown->setSafeMode(true);
$parsedown->setSafeMode(true);
``` ```
If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/). If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
@ -80,9 +78,7 @@ Safe mode does not necessarily yield safe results when using extensions to Parse
If you wish to escape HTML **in trusted input**, you can use the following: If you wish to escape HTML **in trusted input**, you can use the following:
```php ```php
$parsedown = new Parsedown; $Parsedown->setMarkupEscaped(true);
$parsedown->setMarkupEscaped(true);
``` ```
Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`. Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`.