How to prevent Showdown from removing script tags?
Question
I was testing out something and tried to put this into Showdown:
<script>alert("hacked!");</script>
Of course it didn't alert anything (Showdown is made to protect against those sorts of things), but the <script> tag gets removed completely. I am using this for a user description, so the script tag (and it's contents) should be visible, just not executed.
I was thinking that most likely I would need to change some built in Showdown code but couldn't find any place in it's code that I should change to only show the script tags but not execute them.
Does anyone know any existing options or some changes to the source code to show this?
2 answers
solution1
0 2021-01-09 18:23:21
I found this place in the code and it is responsible for hashing HTML tags such as: <script> or </script> .
I think you should only delete lines 329 in the file
And everything should work.
solution2
0 ACCPTED 2021-01-11 19:34:16
I found the answer: I just needed to replace the start and end of the <script> tags with something visible, like <script and </script>
This is the code I used:
myshowdownhtml.split("<script").join("<script").split("<"+"/script>").join("</script>");
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.