Actions
Patch #16087
closedMarkdown renderer doesn’t clean HTML properly
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Text formatting
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Description
The current renderer strips HTML (contrary to conventional Markdown) and still fails to catch everything:
[bad link](javascript:alert(1\))
This fixes both behaviours. scrub-classes is a patch to remove unrecognized classes that could potentially be used to annoy; I haven’t completed the list because the existing implementation already allows all classes through syntax highlighting:
~~~any-class-here code block ~~~
Files
Actions