mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

Rewrite section

Browse Source
This commit is contained in:
Aidan Woods 2018-03-01 18:44:11 +00:00
parent ad62bf5a6f
commit 90439ef882
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
1 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
README.md
View File

@ -39,19 +39,37 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
### Security
Parsedown is capable of escaping user-input within the HTML that it generates.
Additionally Parsedown can attempt to sanitize additional scriping vectors (such
as scripting link destinations). To tell Parsedown that it is processing untrusted
user input, use the following:
Additionally Parsedown will apply sanitisation to additional scripting vectors (such
as scripting link destinations) that are introduced by the markdown syntax itself.
To tell Parsedown that it is processing untrusted user-input, use the following:
```php
$parsedown = new Parsedown;
$parsedown->setSafeMode(true);
```
It is recommended that when you deal with untrusted content (ex: user comments)
you should employ defense-in-depth measures, like making use of a HTML sanitizer
If instead, you wish to allow HTML within untrusted user input, but still want
output to be free from XSS it is recommended that you make use of a HTML sanitiser
that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
Additionally, you should strongly consider
[deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/).
In both cases you should strongly consider employing defence-in-depth measures,
like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/)
(making use of browser security feature) so that your page is likely to be safe even if an
attacker finds a vulnerability in one of the first lines of defence above.
#### Security of Parsedown Extensions
Safe mode does not necessarily yield safe results when using extensions to Parsedown. Extensions should be evaluated on their own to determine their specific safety against XSS.
### Escaping HTML
> ⚠️  **WARNING:** This method isn't safe from XSS!
If you wish to escape HTML **in trusted input**, you can use the following:
```php
$parsedown = new Parsedown;
$parsedown->setMarkupEscaped(true);
```
Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`.
### Questions