Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document lack of sanitization of HTML output #1479

Open
MaddyGuthridge opened this issue Sep 8, 2024 · 1 comment
Open

Document lack of sanitization of HTML output #1479

MaddyGuthridge opened this issue Sep 8, 2024 · 1 comment
Labels
confirmed Confirmed bug report or approved feature request. docs Related to the project documentation.

Comments

@MaddyGuthridge
Copy link

Like many other Markdown processors, Python-Markdown does not sanitize its output, meaning that malicious code can be embedded within markdown documents.

# Some markdown document

<script>alert("Evil laughter")</script>

If this isn't made clear to users, there is a risk that they will unintentionally create opportunities for XSS attacks. It would be worthwhile documenting the lack of sanitization, and perhaps recommend an HTML sanitization library, such as bleach.

@waylan
Copy link
Member

waylan commented Sep 10, 2024

Hmm, this used to me mentioned in our documentation. Not sure when or why it was removed. But, yes, I agree, we should be documenting this. Although, an argument has been made by some in the past that as all markdown parsers do not sanitize, there is no need to document this as there should be no expectation from users anyway. Personally, I recognize that not all users know or understand that and so we should be expressly stating as much.

By the way, we used to recommend bleach as a solution. We stopped making that recommendation as the bleach project has been deprecated. That still appears to be the case.

@waylan waylan added docs Related to the project documentation. confirmed Confirmed bug report or approved feature request. labels Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed Confirmed bug report or approved feature request. docs Related to the project documentation.
Projects
None yet
Development

No branches or pull requests

2 participants