[英]How to prevent Showdown from removing script tags?
I was testing out something and tried to put this into Showdown:我正在测试一些东西并试图将它放入摊牌:
<script>alert("hacked!");</script>
Of course it didn't alert anything (Showdown is made to protect against those sorts of things), but the <script>
tag gets removed completely.当然它没有提醒任何东西(摊牌是为了防止这些事情发生),但是<script>
标记被完全删除了。 I am using this for a user description, so the script tag (and it's contents) should be visible, just not executed.我将其用于用户描述,因此脚本标签(及其内容)应该是可见的,只是未执行。
I was thinking that most likely I would need to change some built in Showdown code but couldn't find any place in it's code that I should change to only show the script tags but not execute them.我在想我很可能需要更改一些内置的 Showdown 代码,但在它的代码中找不到任何我应该更改为仅显示脚本标签但不执行它们的地方。
Does anyone know any existing options or some changes to the source code to show this?有谁知道任何现有的选项或源代码的一些更改来显示这一点?
I found this place in the code and it is responsible for hashing HTML tags such as: <script>
or </script>
.我在代码中找到了这个地方,它负责散列 HTML 标签,例如: <script>
或</script>
。
https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/subParsers/makehtml/hashHTMLBlocks.js https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/subParsers/makehtml/hashHTMLBlocks.js
I think you should only delete lines 329 in the file我认为您应该只删除文件中的第 329 行
https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/converter.js https://github.com/showdownjs/showdown/blob/a9f38b6f057284460d6447371f3dc5dea999c0a6/src/converter.js
And everything should work.一切都应该工作。
I found the answer: I just needed to replace the start and end of the <script>
tags with something visible, like <script
and </script>
我找到了答案:我只需要将<script>
标记的开头和结尾替换为可见的内容,例如<script
和</script>
This is the code I used:这是我使用的代码:
myshowdownhtml.split("<script").join("<script").split("<"+"/script>").join("</script>");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.