From e03761011521929a375ebb56f21adacb226a3a8d Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Mon, 27 Feb 2017 19:45:55 +0100 Subject: Add markdown_escape setting This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README --- plugins/markdown/README.md | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'plugins/markdown/README.md') diff --git a/plugins/markdown/README.md b/plugins/markdown/README.md index aafcf066..bc9427e2 100644 --- a/plugins/markdown/README.md +++ b/plugins/markdown/README.md @@ -50,9 +50,20 @@ If the tag `nomarkdown` is set for a shaare, it won't be converted to Markdown s > Note: this is a special tag, so it won't be displayed in link list. -### HTML rendering +### HTML escape -Markdown support HTML tags. For example: +By default, HTML tags are escaped. You can enable HTML tags rendering +by setting `security.markdwon_escape` to `false` in `data/config.json.php`: + +```json +{ + "security": { + "markdown_escape": false + } +} +``` + +With this setting, Markdown support HTML tags. For example: > strongstrike @@ -60,12 +71,14 @@ Will render as: > strongstrike -If you want to shaare HTML code, it is necessary to use inline code or code blocks. - -**If your shaared descriptions containing HTML tags before enabling the markdown plugin, -enabling it might break your page.** -> Note: HTML tags such as script, iframe, etc. are disabled for security reasons. +**Warning:** + + * This setting might present **security risks** (XSS) on shared instances, even though tags + such as script, iframe, etc should be disabled. + * If you want to shaare HTML code, it is necessary to use inline code or code blocks. + * If your shaared descriptions contained HTML tags before enabling the markdown plugin, +enabling it might break your page. ### Known issue -- cgit v1.2.3