Marked version: master
HTML sanitized properly if
There is a known bypass of sanitization
What was attempted
Fixed the known bypass, but I expect other bypasses, so Marked now warns its users not to depend in
In most cases, this should be a different person than the contributor.
The text was updated successfully, but these errors were encountered:
Works for me!
I personally recommended DOMPurify because its creators (Cure53) are one of (if not the) experts of the fields with a proven track record of finding critical bugs in even most well-known libraries / services.
Sanitize-html also looks good, but I am not sure about the other two.
Should we create a docs .MD file about these options and link to that file from the code and from other documentation?
OK, finally had a chance to review this.
If I understand correctly, I see 2-3 problems being discussed.
I agree that deprecating the sanitization feature seems like a good path forward.
Looking for @davisjam to approve this one to the point of merge as I don't have the security knowledge to feel right in doing it. With that said, given the plan to get out of the sanitizer business altogether by 1.0 - I'm pretty okay here.
If the community can hit 100% CommonMark compliance and no known security issues, 1.0 should be released and we can begin the work of refactoring and re-engineering toward the single responsibility of parsing markdown and letting the inputs and outputs be handled by extension or somewhere else altogether.
EDIT: That might seem left-field. If this fixes the known security issue, great. If we are at 100% CommonMark compliance, great. We can release 1.0 and remove all the sanitizer logic along with all related corrections and workarounds, including this one.
Here is our current gfm and commonmark compliance chart:
We have a long way to go on some of the sections