Disallowed Raw HTML (extension)

[freedit-dev]

https://github.github.com/gfm/#disallowed-raw-html-extension-

Is there any plan to implement this?

[ssokolow]

Honestly, that looks like scope creep and an opportunity for security vulnerabilities to creep in. It'd make more sense to just configure Ammonia to do that and run it on the output of your Markdown.

[GKnirps]

I use a workaround when I want to disallow all raw HTML:

let parser = Parser::new(input);
let escaped = parser
            .into_iter()
            .map(|event| match event {
                Event::Html(html) => Event::Text(html),
                _ => event,
            });

This way, all raw HTML is escaped. You can then use escaped to render as input to the HTML render function.

If you want to allow some html, I would recommend to use an external sanitizer and do something like

let parser = Parser::new(input);
let sanitized = parser
            .into_iter()
            .map(|event| match event {
                Event::Html(html) => Event::Html(sanitize(html)),
                _ => event,
            });