Patch #16087: Markdown renderer doesn’t clean HTML properly - Redmine

Actions

Copy link

Patch #16087

closed

Markdown renderer doesn’t clean HTML properly

Added by Charmander - about 10 years ago. Updated about 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Text formatting

Target version:

Start date:

Due date:

% Done:

Estimated time:

Description

The current renderer strips HTML (contrary to conventional Markdown) and still fails to catch everything:

[bad link](javascript:alert(1\))

This fixes both behaviours. scrub-classes is a patch to remove unrecognized classes that could potentially be used to annoy; I haven’t completed the list because the existing implementation already allows all classes through syntax highlighting:

~~~any-class-here
code block
~~~

Files

Download all files

redmine-markdown-loofah.diff (2.42 KB) redmine-markdown-loofah.diff	the main patch	Charmander -, 2014-02-13 03:43
redmine-markdown-scrub-classes.diff (1.53 KB) redmine-markdown-scrub-classes.diff		Charmander -, 2014-02-13 03:45

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Patch #16087

Markdown renderer doesn’t clean HTML properly

Updated by Charmander - about 10 years ago

Updated by Charmander - almost 10 years ago

Updated by Toshi MARUYAMA almost 10 years ago

Updated by Charmander - almost 10 years ago

Updated by Toshi MARUYAMA almost 10 years ago

Updated by Charmander - almost 10 years ago

Updated by Charmander - almost 10 years ago

Updated by Charmander - almost 9 years ago

Updated by Go MAEDA about 5 years ago