Level 6
Any ideas? Sorry for the bump.
Mar 23, 2015
7
Level 6
Security when rendering Markdown?
I am using Markdown to render content from forum posts.
{!! Markdown::convertToHtml($post->content) !!}
I need to escape the content in order to parse it into HTML, but security wise, is it safe to do so? Is there a better way to do this?
Thanks.
Level 6
good markdown renderer escapes text. although it also may allow any html to be embedded in text by default (like parsedown does). you should check its code to know for sure.
Level 56
Just use the e helper and you're sure you are safe.
{!! Markdown::convertToHtml(e($post->content)) !!}
Level 6
@pmall doubt that. markdown parser expects raw content. you're gonna get double-escaped output this way.
Level 56
@constb works well with parsedown
Level 6
@pmall strange. does it convert <http://google.com> links when run this way? what about quotes and ampersands? do you get " and & in output?
Level 65
I used this before to render mine but maybe there's a better way (haven't chekeed what e() uses).
{{ Markdown::render(htmlentities($content, ENT_NOQUOTES, "UTF-8")) }}
1 like
Please or to participate in this conversation.