-
-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable parsing of raw HTML #225
Comments
Not currently, but it's something that could probably be added. |
It would be nice to combine escaping HTML elements with a whitelist of HTML elements that are allowed to be parsed; anything else would be escaped. This would provide additional safety when displaying user-generated input. |
Another feature might be a sanitization function that can be run before the attributes are passed to the parsed element. While you can always provide custom components for everything, one function could handle both things like URL sanitization for non- Something along the lines of
Or:
Then in the code, where it
This isn't the right issue for this, but it's a broader issue of how to handle user-generated content. I like this library, but I'm switching to
Hopefully this comment has been helpful in that. |
Possibly relevant package https://github.com/cure53/DOMPurify |
That lib is bigger than markdown-to-jsx itself unfortunately. Adding some basic config to just disable the HTML parsing rules should be relatively straightforward and it would just end up in the generated markdown as plain text. |
Should this issue should be closed now after #278? |
First, please excuse my lack of security knowledge 🙂 . I have a problem that optionally disabling parsing raw HTML right now will also disable my custom components. const options = {overrides: {MyCustomComponent: MyCustomComponent}};
<MyCustomComponent/> // This no longer works if I disable parsing raw HTML. But what if I want to disable parsing raw HTML only (ie, like <script> tags) but allow custom components to still work? As stated here #307 (comment) I'd have to allow raw HTML but use something like My question is, can we allow disabling raw HTML, but allow custom MDX components or somehow make it an option, maybe on |
@stephan-noel you can use a custom override just for script tags, for example: const value = `Hello<div style="color: red;">World</div><script src="evil.com">Bad script</script>`
const MARKDOWN_OPTIONS = {
overrides:
{
// If there is any text inside the script tag then render this, otherwise render nothing.
script: (props: { children: string }) => props.children,
},
}
<Markdown options={MARKDOWN_OPTIONS}>
{value}
</Markdown> Would just render as: |
Hmm we should be discarding script tags entirely as they're obviously a malicious vector |
Ah that's interesting. Yes I'm running 7.1.6 and without |
Is there a way to disable parsing of raw HTML altogether? I know I can override specific tags but I'd like to automatically escape HTML characters without transforming the data stored in my database.
The text was updated successfully, but these errors were encountered: