Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alternatives in the browser? #24

Closed
bevacqua opened this issue Sep 3, 2014 · 4 comments
Closed

Alternatives in the browser? #24

bevacqua opened this issue Sep 3, 2014 · 4 comments

Comments

@bevacqua
Copy link

bevacqua commented Sep 3, 2014

Hey, I'm looking for alternatives to he for the browser, any recommendations? It's just for UX, I'd still be using he in the server.
@bevacqua
Copy link
Author

I wrote this as an alternative

https://gist.github.com/bevacqua/83d98737ffd3b5509212

If you want I could add it to the package.json and create a pull request

@mathiasbynens
Copy link
Owner

As stated in the README, he works just fine in browser environments. Why would you need an alternative?

Your alternative is vulnerable to XSS (decodeHtml), and even disregarding that, the code is not equivalent to he’s intended functionality. See #18 for more information.

@bevacqua
Copy link
Author

Thanks for the heads up on using a <textarea> instead. I know it works just fine in the browser, but I wanted a non-fat version since it's just for markdown previews, and the HTML is never sent to the server, the markdown is rendered again on the server-side using he

@mathiasbynens
Copy link
Owner

So you just want he.escape then, i.e., only escape unsafe characters? You could use _.escape then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mathiasbynens @bevacqua