From 9d2665b895514d9c8463b342b854f99c0f746c6c Mon Sep 17 00:00:00 2001 From: adamb70 Date: Tue, 4 Feb 2020 13:23:20 +0000 Subject: [PATCH 1/3] Allow custom sanitize function Update README.md --- README.md | 5 +++++ src/js/easymde.js | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index b68caba..01a1ef5 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,7 @@ easyMDE.value('New input for **EasyMDE**'); - **hljs**: An injectible instance of [highlight.js](https://github.com/isagalaev/highlight.js). If you don't want to rely on the global namespace (`window.hljs`), you can provide an instance here. Defaults to `undefined`. - **markedOptions**: Set the internal Markdown renderer's [options](https://marked.js.org/#/USING_ADVANCED.md#options). Other `renderingConfig` options will take precedence. - **singleLineBreaks**: If set to `false`, disable parsing GFM single line breaks. Defaults to `true`. + - **sanitizerFunction**: Custom function for sanitizing the HTML output of markdown renderer. - **shortcuts**: Keyboard shortcuts associated with this instance. Defaults to the [array of shortcuts](#keyboard-shortcuts). - **showIcons**: An array of icon names to show. Can be used to show specific icons hidden by default without completely customizing the toolbar. - **spellChecker**: If set to `false`, disable the spell checker. Defaults to `true`. @@ -251,6 +252,10 @@ var editor = new EasyMDE({ renderingConfig: { singleLineBreaks: false, codeSyntaxHighlighting: true, + sanitizerFunction: function(renderedHTML) { + // Using DOMPurify and only allowing tags + return DOMPurify.sanitize(renderedHTML, {ALLOWED_TAGS: ['b']}) + }, }, shortcuts: { drawTable: "Cmd-Alt-T" diff --git a/src/js/easymde.js b/src/js/easymde.js index 4e0a2f6..78aa594 100644 --- a/src/js/easymde.js +++ b/src/js/easymde.js @@ -1762,6 +1762,11 @@ EasyMDE.prototype.markdown = function (text) { // Convert the markdown to HTML var htmlText = marked(text); + + // Sanitize HTML + if (this.options.renderingConfig && typeof this.options.renderingConfig.sanitizerFunction === 'function') { + htmlText = this.options.renderingConfig.sanitizerFunction(htmlText); + } // Edit the HTML anchors to add 'target="_blank"' by default. htmlText = addAnchorTargetBlank(htmlText); From c83c593d58dcf7c435b4567071b8dda3444eeb11 Mon Sep 17 00:00:00 2001 From: adamb70 Date: Tue, 4 Feb 2020 18:21:54 +0000 Subject: [PATCH 2/3] Use .call() on the sanitize function --- src/js/easymde.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/js/easymde.js b/src/js/easymde.js index 78aa594..5e4d8ce 100644 --- a/src/js/easymde.js +++ b/src/js/easymde.js @@ -1765,7 +1765,7 @@ EasyMDE.prototype.markdown = function (text) { // Sanitize HTML if (this.options.renderingConfig && typeof this.options.renderingConfig.sanitizerFunction === 'function') { - htmlText = this.options.renderingConfig.sanitizerFunction(htmlText); + htmlText = this.options.renderingConfig.sanitizerFunction.call(this, htmlText); } // Edit the HTML anchors to add 'target="_blank"' by default. From f8434d7a4bf2acbc915d249bb9a5285dc62ecc9f Mon Sep 17 00:00:00 2001 From: adamb70 Date: Thu, 6 Feb 2020 12:36:30 +0000 Subject: [PATCH 3/3] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eeb9a78..dd70263 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Added - `inputStyle` and `nativeSpellcheck` options to manage the native language of the browser (Thanks to [@firm1], [#143]). +- `sanitizerFunction` option to allow custom HTML sanitizing in the markdown preview (Thanks to [@adamb70], [#147]). ### Changed - Delay before assuming that submit of the form as failed is `autosave.submit_delay` instead of `autosave.delay` (Thanks to [@Situphen], [#139]).