Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make cmark safe by default #273

Closed
Hultner opened this issue Oct 17, 2018 · 4 comments
Closed

Make cmark safe by default #273

Hultner opened this issue Oct 17, 2018 · 4 comments

Comments

@Hultner
Copy link

Hultner commented Oct 17, 2018

@kivikakk have changed the default behaviour in cmark-gfm to be safe by default.
github#123

This is the result of a library I created earlier this week as a response to the large number of XSS-exploits found in the wild the past year or so. Hence I wanted to provide a safe by default library wrapping cmark-gfm.
https://github.com/Hultner/safemd

Getting this changed upstream in cmark-gfm was a much greater success than I ever expected from my project and the natural next steps would be to lift it all the way up to cmark.

My suggestion is that we implement similar changes into cmark so you have to be explicitly unsafe instead of implicit unsafe.

I am a strong believer safe by default and hope you'll consider my concerns.
@fingolfin
Copy link

Isn't this a duplicate of #239?

@Hultner
Copy link
Author

Hultner commented Nov 19, 2018

@fingolfin Yep looks like it, didn’t find that one when I posted this.

However I do think we should reconsider allowing a safe subset of html per default since evidently a lot of consumers will just rely on the default behaviour unknowingly exposing themselves (and their users) for unnecessary risk.

From my point of view it’s almost always better to be explicit about unsafe behaviour then the opposite.

@jgm
Copy link
Member

jgm commented Mar 18, 2019

This is the reference implementation for commonmark.
So, I think it makes sense for the default to pass through raw HTML, since that's part of the commonmark spec.
Otherwise the default behavior doesn't conform to the spec and won't pass the automatic tests.

@jgm jgm closed this as completed Mar 18, 2019
@jgm
Copy link
Member

jgm commented Mar 18, 2019

Closing as duplicate, but still considering this.

jgm added a commit that referenced this issue Mar 18, 2019
@jgm
Make rendering safe by default.
325a147 
Removes CMARK_OPT_SAFE from options.

Adds CMARK_OPT_UNSAFE, with the opposite meaning.
The new default behavior is to suppress raw HTML and
potentially dangerous links.  The CMARK_OPT_UNSAFE
option has to be set explicitly to prevent this.

--------------------------------------------------------
NOTE: This change will require modifications in
bindings for cmark and in most libraries and programs
that use cmark.
--------------------------------------------------------

Closes #239, #273.

Borrows heavily from @kivikakk's patch in github#123.
talum referenced this issue in github/cmark-gfm Sep 14, 2021
@jgm
Make rendering safe by default.
89c6b9b 
Removes CMARK_OPT_SAFE from options.

Adds CMARK_OPT_UNSAFE, with the opposite meaning.
The new default behavior is to suppress raw HTML and
potentially dangerous links.  The CMARK_OPT_UNSAFE
option has to be set explicitly to prevent this.

--------------------------------------------------------
NOTE: This change will require modifications in
bindings for cmark and in most libraries and programs
that use cmark.
--------------------------------------------------------

Closes #239, #273.

Borrows heavily from @kivikakk's patch in #123.
QuietMisdreavus pushed a commit to swiftlang/swift-cmark that referenced this issue Jul 26, 2023
@anticomputer
Merge pull request commonmark#273 from waldyrious/marker-vs-delimiter
63dd7b7 
Normalize nomenclature: marker row vs. delimiter row
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgm @fingolfin @Hultner