Reputation: 1775
How to prevent Showdown from removing script tags?
I was testing out something and tried to put this into Showdown:
<script>alert("hacked!");</script>
Of course it didn't alert anything (Showdown is made to protect against those sorts of things), but the <script> tag gets removed completely. I am using this for a user description, so the script tag (and it's contents) should be visible, just not executed.
I was thinking that most likely I would need to change some built in Showdown code but couldn't find any place in it's code that I should change to only show the script tags but not execute them.
Does anyone know any existing options or some changes to the source code to show this?
Upvotes: 0
Views: 445
Answers (2)
Reputation: 1775
I found the answer: I just needed to replace the start and end of the <script> tags with something visible, like <script and </script>
This is the code I used:
myshowdownhtml.split("<script").join("<script").split("<"+"/script>").join("</script>");
Upvotes: 0
Reputation: 144
I found this place in the code and it is responsible for hashing HTML tags such as: <script> or </script>.
I think you should only delete lines 329 in the file
And everything should work.
Upvotes: 0
Related Questions
- Showdown render custom tag into custom html block
- How do I prevent Google Tag Manager from appending javascript after html
- How to prevent jquery from removing the <script> tags
- how to disable script tags in a html text?
- Prevent markdown processor converting ">" to "&gt;" within <script> tags?
- How to prevent script tags in text from executing?
- Don't allow <script> tags to be modified
- Client-Side Dynamic Removal of <script> Tags in <head>
- how could javascript be partially disabled?
- Javascript way to disable other script tags from executing?