diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2017-02-27 19:45:55 +0100 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2017-02-28 19:16:54 +0100 |
| commit | e03761011521929a375ebb56f21adacb226a3a8d (patch) | |
| tree | 6cc318939e74a35d74a037f18bca912b73e5c81e /plugins/markdown/README.md | |
| parent | 5978588578ca103152598ccfbe41019b12e00a4f (diff) | |
| download | Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip | |
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
Diffstat (limited to 'plugins/markdown/README.md')
| -rw-r--r-- | plugins/markdown/README.md | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/plugins/markdown/README.md b/plugins/markdown/README.md index aafcf066..bc9427e2 100644 --- a/plugins/markdown/README.md +++ b/plugins/markdown/README.md | |||
| @@ -50,9 +50,20 @@ If the tag `nomarkdown` is set for a shaare, it won't be converted to Markdown s | |||
| 50 | 50 | ||
| 51 | > Note: this is a special tag, so it won't be displayed in link list. | 51 | > Note: this is a special tag, so it won't be displayed in link list. |
| 52 | 52 | ||
| 53 | ### HTML rendering | 53 | ### HTML escape |
| 54 | 54 | ||
| 55 | Markdown support HTML tags. For example: | 55 | By default, HTML tags are escaped. You can enable HTML tags rendering |
| 56 | by setting `security.markdwon_escape` to `false` in `data/config.json.php`: | ||
| 57 | |||
| 58 | ```json | ||
| 59 | { | ||
| 60 | "security": { | ||
| 61 | "markdown_escape": false | ||
| 62 | } | ||
| 63 | } | ||
| 64 | ``` | ||
| 65 | |||
| 66 | With this setting, Markdown support HTML tags. For example: | ||
| 56 | 67 | ||
| 57 | > <strong>strong</strong><strike>strike</strike> | 68 | > <strong>strong</strong><strike>strike</strike> |
| 58 | 69 | ||
| @@ -60,12 +71,14 @@ Will render as: | |||
| 60 | 71 | ||
| 61 | > <strong>strong</strong><strike>strike</strike> | 72 | > <strong>strong</strong><strike>strike</strike> |
| 62 | 73 | ||
| 63 | If you want to shaare HTML code, it is necessary to use inline code or code blocks. | ||
| 64 | |||
| 65 | **If your shaared descriptions containing HTML tags before enabling the markdown plugin, | ||
| 66 | enabling it might break your page.** | ||
| 67 | 74 | ||
| 68 | > Note: HTML tags such as script, iframe, etc. are disabled for security reasons. | 75 | **Warning:** |
| 76 | |||
| 77 | * This setting might present **security risks** (XSS) on shared instances, even though tags | ||
| 78 | such as script, iframe, etc should be disabled. | ||
| 79 | * If you want to shaare HTML code, it is necessary to use inline code or code blocks. | ||
| 80 | * If your shaared descriptions contained HTML tags before enabling the markdown plugin, | ||
| 81 | enabling it might break your page. | ||
| 69 | 82 | ||
| 70 | ### Known issue | 83 | ### Known issue |
| 71 | 84 | ||