New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parsedown should not have an advisory? #44
Comments
Please refer FriendsOfPHP/security-advisories#257 This repo just broadcasts the security issues |
@taylorotwell I explained a little in FriendsOfPHP/security-advisories#257 why this should be a bug in my opinion, but allow me to give an example because I feel it might be a helpful reference at least: Parsedown has an option As you can see, it is possible to get Parsedown to output arbitrary HTML when using this option (this is a bug with security consequences). |
Parsedown is listed here as having a security advisory, but I'm not 100% sure it is warranted. It is a Markdown parsing library that takes the Markdown input it is given and turns it into HTML. Period. That is all it does. It is not output sanitizer and the author has stated that that is not a goal of the library. It already is possible to combine Parsedown with a sanitizer in order to sanitize output, for example:
IMO, these two things are separate concerns and forcing Parsedown to implement a full HTML sanitization feature or integrate with other libraries to do so when it can easily be done flexibly and easily in user-land doesn't make a ton of sense.
I would prefer someone other than @Ocramius review this issue as I'm not sure he can keep personal bias out of the discussion, since he fairly routinely tweets inflammatory things regarding libraries I have created. Thanks.
Thoughts?
The text was updated successfully, but these errors were encountered: