Document lack of sanitization of HTML output #1479
Comments
|
Hmm, this used to me mentioned in our documentation. Not sure when or why it was removed. But, yes, I agree, we should be documenting this. Although, an argument has been made by some in the past that as all markdown parsers do not sanitize, there is no need to document this as there should be no expectation from users anyway. Personally, I recognize that not all users know or understand that and so we should be expressly stating as much. By the way, we used to recommend bleach as a solution. We stopped making that recommendation as the bleach project has been deprecated. That still appears to be the case. |
waylan
added
docs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Like many other Markdown processors, Python-Markdown does not sanitize its output, meaning that malicious code can be embedded within markdown documents.
If this isn't made clear to users, there is a risk that they will unintentionally create opportunities for XSS attacks. It would be worthwhile documenting the lack of sanitization, and perhaps recommend an HTML sanitization library, such as bleach.
The text was updated successfully, but these errors were encountered: