Showdown HTML Escape plugin
This plugin for Showdown prevents
the use of arbitrary HTML and allows only the specific Markdown syntax.
This is useful if you want to allow your users to format text using the Markdown
syntax but you do not want them to directly enter HTML.
Installation
With bower
bower install showdown-htmlescape
With npm
npm install showdown-htmlescape
Manual
You can also download the latest release zip or tarball and include the file dist/showdown-htmlescape.js directly in your project.
Enabling the extension
Browser
You have to include both Showdown and the Showdown HTML Escape extension in your
project:
<script src="showdown.min.js"></script>
<script src="showdown-htmlescape.min.js"></script>After including the extension in your application, you just need to enable it
for your Showdown converter:
var converter = new showdown.Converter({extensions: ['htmlescape']})Node.js
var showdown = require('showdown')
var showdownHtmlEscape = require('showdown-htmlescape')
var converter = new showdown.Converter({ extensions: [showdownHtmlEscape] })Usage example
var converter = new showdown.Converter({extensions: ['htmlescape']})
var input = 'Allows **Markdown markup**, but does not allow <b>HTML markup</b>'
var html = converter.makeHtml(input)
console.log(html)This should output:
<p>Allows <strong>Markdown markup</strong>, but does not allow <b>HTML markup</b></p>Notes on security
This plugin is not meant to protect you from XSS attacks, it justs limits
the syntax available to the user to the Markdown specific syntax. If security
and XSS prevention is important for your use case you still must filter the
HTML generated by Showdown.
See Markdown's XSS Vulnerability (and how to mitigate it)
for details.
License
Showdown HTML Escape Copyright © 2015-2016 Philipp Wolfer phil@parolu.de
Published under the MIT license, see LICENSE.txt for details.