mirror
/
parsedown
mirror of https://github.com/erusev/parsedown.git
1
0
Fork 0
Code Releases Activity

Talk about safe mode in the README

This commit is contained in:
Aidan Woods 2018-02-28 17:01:31 +00:00
parent 6678d59be4
commit ad62bf5a6f
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -38,7 +38,20 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
### Security
Parsedown does not sanitize the HTML that it generates. When you deal with untrusted content (ex: user comments) you should also use a HTML sanitizer like [HTML Purifier](http://htmlpurifier.org/).
Parsedown is capable of escaping user-input within the HTML that it generates.
Additionally Parsedown can attempt to sanitize additional scriping vectors (such
as scripting link destinations). To tell Parsedown that it is processing untrusted
user input, use the following:
```php
$parsedown = new Parsedown;
$parsedown->setSafeMode(true);
```
It is recommended that when you deal with untrusted content (ex: user comments)
you should employ defense-in-depth measures, like making use of a HTML sanitizer
that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
Additionally, you should strongly consider
[deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/).
### Questions