||ThomasAH, ber, mschieder, ncoghlan, rouilj
>I wonder if this could be used for some form of attack using html/iframe
>or possibly letting a <script> tag skip through. The latter would be
>really bad as without the correct restrictions in place it would be
>I think using local_replace to change < into < and > into >
>before passing the resulting text to local_markdown will shortcut this
>attack, but I am not positive.
Roundup passes the HTML to local_replace with the replacements ('< into
<', '> into >', etc). So html/iframe and <script> tags are no
The link label ('[a safe side](http://a_bad_side.com)') doesn't work
either, because Roundup replaces the link with '<a
href="http://a_bad_side.com">http://a_bad_side.co</a>' and commonmark
doesn't recognize the link anymore.
The e-mail links work without restrictions.
>Also have you considered implementing a document preview mode to allow
>web entry of commonmark to be tested before it is committed?
Unfortunately I don't know Roundup so well yet and therefore I can't
estimate how complex the implementation is. So I'm not sure I'll
|2019-01-17 14:39:49||mschieder||set||messageid: <firstname.lastname@example.org>|
+ mschieder, ber, rouilj, ThomasAH, ncoghlan|
|2019-01-17 14:39:49||mschieder||link||issue2550856 messages|