mirror of
https://github.com/erusev/parsedown.git
synced 2023-08-10 21:13:06 +03:00
Talk about safe mode in the README
This commit is contained in:
Aidan Woods
parent
6678d59be4
commit
ad62bf5a6f
15
README.md
15
README.md
@ -38,7 +38,20 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
|
||||
|
||||
### Security
|
||||
|
||||
Parsedown does not sanitize the HTML that it generates. When you deal with untrusted content (ex: user comments) you should also use a HTML sanitizer like [HTML Purifier](http://htmlpurifier.org/).
|
||||
Parsedown is capable of escaping user-input within the HTML that it generates.
|
||||
Additionally Parsedown can attempt to sanitize additional scriping vectors (such
|
||||
as scripting link destinations). To tell Parsedown that it is processing untrusted
|
||||
user input, use the following:
|
||||
```php
|
||||
$parsedown = new Parsedown;
|
||||
$parsedown->setSafeMode(true);
|
||||
```
|
||||
|
||||
It is recommended that when you deal with untrusted content (ex: user comments)
|
||||
you should employ defense-in-depth measures, like making use of a HTML sanitizer
|
||||
that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
|
||||
Additionally, you should strongly consider
|
||||
[deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/).
|
||||
|
||||
### Questions
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user