This plugin for Showdown prevents the use of arbitrary HTML and allows only the specific Markdown syntax.
This is useful if you want to allow your users to format text using the Markdown syntax but you do not want them to directly enter HTML.
With bower
bower install showdown-htmlescape
With npm
npm install showdown-htmlescape
You can also download the latest release zip or tarball and include the file dist/showdown-htmlescape.js
directly in your project.
You have to include both Showdown and the Showdown HTML Escape extension in your project:
<script src="showdown.min.js"></script>
<script src="showdown-htmlescape.min.js"></script>
After including the extension in your application, you just need to enable it for your Showdown converter:
var converter = new showdown.Converter({extensions: ['htmlescape']})
var showdown = require('showdown')
var showdownHtmlEscape = require('showdown-htmlescape')
var converter = new showdown.Converter({ extensions: [showdownHtmlEscape] })
var converter = new showdown.Converter({extensions: ['htmlescape']})
var input = 'Allows **Markdown markup**, but does not allow <b>HTML markup</b>'
var html = converter.makeHtml(input)
console.log(html)
This should output:
<p>Allows <strong>Markdown markup</strong>, but does not allow <b>HTML markup</b></p>
This plugin is not meant to protect you from XSS attacks, it justs limits the syntax available to the user to the Markdown specific syntax. If security and XSS prevention is important for your use case you still must filter the HTML generated by Showdown. See Markdown's XSS Vulnerability (and how to mitigate it) for details.
Showdown HTML Escape Copyright © 2015-2016 Philipp Wolfer phil@parolu.de
Published under the MIT license, see LICENSE.txt for details.