1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

More consistent code blocks in readme

This commit is contained in:
Emanuil Rusev 2018-12-28 12:50:30 +02:00 committed by GitHub
parent 48a2fb26fe
commit 4c2d79fc6a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -60,9 +60,7 @@ Parsedown is capable of escaping user-input within the HTML that it generates. A
To tell Parsedown that it is processing untrusted user-input, use the following: To tell Parsedown that it is processing untrusted user-input, use the following:
```php ```php
$parsedown = new Parsedown; $Parsedown->setSafeMode(true);
$parsedown->setSafeMode(true);
``` ```
If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/). If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
@ -80,9 +78,7 @@ Safe mode does not necessarily yield safe results when using extensions to Parse
If you wish to escape HTML **in trusted input**, you can use the following: If you wish to escape HTML **in trusted input**, you can use the following:
```php ```php
$parsedown = new Parsedown; $Parsedown->setMarkupEscaped(true);
$parsedown->setMarkupEscaped(true);
``` ```
Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`. Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`.