aboutsummaryrefslogtreecommitdiffhomepage
path: root/plugins/markdown/README.md
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-02-27 19:45:55 +0100
committerArthurHoaro <arthur@hoa.ro>2017-02-28 19:16:54 +0100
commite03761011521929a375ebb56f21adacb226a3a8d (patch)
tree6cc318939e74a35d74a037f18bca912b73e5c81e /plugins/markdown/README.md
parent5978588578ca103152598ccfbe41019b12e00a4f (diff)
downloadShaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
Diffstat (limited to 'plugins/markdown/README.md')
-rw-r--r--plugins/markdown/README.md27
1 files changed, 20 insertions, 7 deletions
diff --git a/plugins/markdown/README.md b/plugins/markdown/README.md
index aafcf066..bc9427e2 100644
--- a/plugins/markdown/README.md
+++ b/plugins/markdown/README.md
@@ -50,9 +50,20 @@ If the tag `nomarkdown` is set for a shaare, it won't be converted to Markdown s
50 50
51> Note: this is a special tag, so it won't be displayed in link list. 51> Note: this is a special tag, so it won't be displayed in link list.
52 52
53### HTML rendering 53### HTML escape
54 54
55Markdown support HTML tags. For example: 55By default, HTML tags are escaped. You can enable HTML tags rendering
56by setting `security.markdwon_escape` to `false` in `data/config.json.php`:
57
58```json
59{
60 "security": {
61 "markdown_escape": false
62 }
63}
64```
65
66With this setting, Markdown support HTML tags. For example:
56 67
57 > <strong>strong</strong><strike>strike</strike> 68 > <strong>strong</strong><strike>strike</strike>
58 69
@@ -60,12 +71,14 @@ Will render as:
60 71
61> <strong>strong</strong><strike>strike</strike> 72> <strong>strong</strong><strike>strike</strike>
62 73
63If you want to shaare HTML code, it is necessary to use inline code or code blocks.
64
65**If your shaared descriptions containing HTML tags before enabling the markdown plugin,
66enabling it might break your page.**
67 74
68> Note: HTML tags such as script, iframe, etc. are disabled for security reasons. 75**Warning:**
76
77 * This setting might present **security risks** (XSS) on shared instances, even though tags
78 such as script, iframe, etc should be disabled.
79 * If you want to shaare HTML code, it is necessary to use inline code or code blocks.
80 * If your shaared descriptions contained HTML tags before enabling the markdown plugin,
81enabling it might break your page.
69 82
70### Known issue 83### Known issue
71 84