1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

Remove extra line breaks

This commit is contained in:
Aidan Woods 2018-03-01 19:54:58 +00:00
parent 9b1f54b9d3
commit f3068df45a
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9

View File

@ -38,23 +38,17 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
### Security ### Security
Parsedown is capable of escaping user-input within the HTML that it generates. Parsedown is capable of escaping user-input within the HTML that it generates. Additionally Parsedown will apply sanitisation to additional scripting vectors (such as scripting link destinations) that are introduced by the markdown syntax itself.
Additionally Parsedown will apply sanitisation to additional scripting vectors (such
as scripting link destinations) that are introduced by the markdown syntax itself.
To tell Parsedown that it is processing untrusted user-input, use the following: To tell Parsedown that it is processing untrusted user-input, use the following:
```php ```php
$parsedown = new Parsedown; $parsedown = new Parsedown;
$parsedown->setSafeMode(true); $parsedown->setSafeMode(true);
``` ```
If instead, you wish to allow HTML within untrusted user-input, but still want If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
output to be free from XSS it is recommended that you make use of a HTML sanitiser
that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
In both cases you should strongly consider employing defence-in-depth measures, In both cases you should strongly consider employing defence-in-depth measures, like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/) (making use of browser security feature) so that your page is likely to be safe even if an attacker finds a vulnerability in one of the first lines of defence above.
like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/)
(making use of browser security feature) so that your page is likely to be safe even if an
attacker finds a vulnerability in one of the first lines of defence above.
#### Security of Parsedown Extensions #### Security of Parsedown Extensions