[Question] Protection against XXS with user-generated input. #121

New Issue

Closed

opened 2026-01-29 14:27:50 +00:00 by claunia · 2 comments

claunia commented 2026-01-29 14:27:50 +00:00

Owner

Copy Link

Originally created by @mloewent on GitHub (Jul 10, 2017).

Hi. I am wondering how I can protect against code execution using this library.
I want users to be able to add code snippets <script>alert("hi");</script>, but to make sure they are encoded.
Currently if a user writes a code snippet without putting it in a code block the snippet will be executed. Is there any way this library can help protect against this?

Thanks.

Originally created by @mloewent on GitHub (Jul 10, 2017). Hi. I am wondering how I can protect against code execution using this library. I want users to be able to add code snippets ```<script>alert("hi");</script>```, but to make sure they are encoded. Currently if a user writes a code snippet without putting it in a ```code block``` the snippet will be executed. Is there any way this library can help protect against this? Thanks.

claunia added the question label 2026-01-29 14:27:50 +00:00

claunia closed this issue 2026-01-29 14:27:51 +00:00

claunia commented 2026-01-29 14:27:53 +00:00

Author

Owner

Copy Link

@mloewent commented on GitHub (Jul 10, 2017):

I have solved this by using a library to sanitize the HTML output of markdig, using a whitelist of HTML tags. Will leave this issue open in case you have any input.

@mloewent commented on GitHub (Jul 10, 2017): I have solved this by using a library to sanitize the HTML output of markdig, using a whitelist of HTML tags. Will leave this issue open in case you have any input.

claunia commented 2026-01-29 14:27:54 +00:00

Author

Owner

Copy Link

@xoofx commented on GitHub (Jul 11, 2017):

Yes, it is recommended to use a sanitizer on the HTML output directly

@xoofx commented on GitHub (Jul 11, 2017): Yes, it is recommended to use a sanitizer on the HTML output directly

claunia referenced this issue 2026-01-29 14:45:57 +00:00

[PR #121] [MERGED] Fix issue in GenericAttributesParser causing inline elements to be sk… #819

claunia referenced this issue 2026-01-29 14:46:00 +00:00

[PR #121] Fix issue in GenericAttributesParser causing inline elements to be sk… #824

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

example-lunet-api-doc

jira-markup

perf-core-vs-mono

0.44.0

0.43.0

0.42.0

0.41.3

0.41.2

0.41.1

0.41.0

0.40.0

0.39.1

0.39.0

0.38.0

0.37.0

0.36.2

0.36.1

0.36.0

0.35.0

0.34.0

0.33.0

0.32.0

0.31.0

0.30.4

0.30.3

0.30.2

0.30.1

0.30.0

0.29.0

0.28.1

0.28.0

0.27.0

0.26.0

0.25.0

0.24.0

0.23.0

0.22.1

0.22.0

0.21.1

0.21.0

0.20.0

0.18.3

0.18.2

0.18.1

0.18.0

0.17.1

0.17.0

v0.16.0

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.9

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.0

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.1

v0.6.0

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

bug

documentation

enhancement

extension

Hacktoberfest

invalid

PR Welcome!

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/markdig#121