diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-02-27 19:45:55 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2017-02-28 19:16:54 +0100 |
commit | e03761011521929a375ebb56f21adacb226a3a8d (patch) | |
tree | 6cc318939e74a35d74a037f18bca912b73e5c81e /plugins/markdown/README.md | |
parent | 5978588578ca103152598ccfbe41019b12e00a4f (diff) | |
download | Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip |
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
Diffstat (limited to 'plugins/markdown/README.md')
-rw-r--r-- | plugins/markdown/README.md | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/plugins/markdown/README.md b/plugins/markdown/README.md index aafcf066..bc9427e2 100644 --- a/plugins/markdown/README.md +++ b/plugins/markdown/README.md | |||
@@ -50,9 +50,20 @@ If the tag `nomarkdown` is set for a shaare, it won't be converted to Markdown s | |||
50 | 50 | ||
51 | > Note: this is a special tag, so it won't be displayed in link list. | 51 | > Note: this is a special tag, so it won't be displayed in link list. |
52 | 52 | ||
53 | ### HTML rendering | 53 | ### HTML escape |
54 | 54 | ||
55 | Markdown support HTML tags. For example: | 55 | By default, HTML tags are escaped. You can enable HTML tags rendering |
56 | by setting `security.markdwon_escape` to `false` in `data/config.json.php`: | ||
57 | |||
58 | ```json | ||
59 | { | ||
60 | "security": { | ||
61 | "markdown_escape": false | ||
62 | } | ||
63 | } | ||
64 | ``` | ||
65 | |||
66 | With this setting, Markdown support HTML tags. For example: | ||
56 | 67 | ||
57 | > <strong>strong</strong><strike>strike</strike> | 68 | > <strong>strong</strong><strike>strike</strike> |
58 | 69 | ||
@@ -60,12 +71,14 @@ Will render as: | |||
60 | 71 | ||
61 | > <strong>strong</strong><strike>strike</strike> | 72 | > <strong>strong</strong><strike>strike</strike> |
62 | 73 | ||
63 | If you want to shaare HTML code, it is necessary to use inline code or code blocks. | ||
64 | |||
65 | **If your shaared descriptions containing HTML tags before enabling the markdown plugin, | ||
66 | enabling it might break your page.** | ||
67 | 74 | ||
68 | > Note: HTML tags such as script, iframe, etc. are disabled for security reasons. | 75 | **Warning:** |
76 | |||
77 | * This setting might present **security risks** (XSS) on shared instances, even though tags | ||
78 | such as script, iframe, etc should be disabled. | ||
79 | * If you want to shaare HTML code, it is necessary to use inline code or code blocks. | ||
80 | * If your shaared descriptions contained HTML tags before enabling the markdown plugin, | ||
81 | enabling it might break your page. | ||
69 | 82 | ||
70 | ### Known issue | 83 | ### Known issue |
71 | 84 | ||