mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

Remove extra line breaks

Browse Source
This commit is contained in:
Aidan Woods 2018-03-01 19:54:58 +00:00
parent 9b1f54b9d3
commit f3068df45a
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
1 changed files with 4 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -38,23 +38,17 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
### Security
Parsedown is capable of escaping user-input within the HTML that it generates.
Additionally Parsedown will apply sanitisation to additional scripting vectors (such
as scripting link destinations) that are introduced by the markdown syntax itself.
Parsedown is capable of escaping user-input within the HTML that it generates. Additionally Parsedown will apply sanitisation to additional scripting vectors (such as scripting link destinations) that are introduced by the markdown syntax itself.
To tell Parsedown that it is processing untrusted user-input, use the following:
```php
$parsedown = new Parsedown;
$parsedown->setSafeMode(true);
```
If instead, you wish to allow HTML within untrusted user-input, but still want
output to be free from XSS it is recommended that you make use of a HTML sanitiser
that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
In both cases you should strongly consider employing defence-in-depth measures,
like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/)
(making use of browser security feature) so that your page is likely to be safe even if an
attacker finds a vulnerability in one of the first lines of defence above.
In both cases you should strongly consider employing defence-in-depth measures, like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/) (making use of browser security feature) so that your page is likely to be safe even if an attacker finds a vulnerability in one of the first lines of defence above.
#### Security of Parsedown Extensions