Hello Caddy community!
I wanted to ask if it was possible to disable inline HTML using the markdown directive? Right now I can do things like <script>alert("Hello, World!")</script> in a .md file and it would execute.
Anything I can do to prevent that?
Well… https://video.twimg.com/tweet_video/DGuHi0NUMAAgls6.mp4 
More helpfully: Are you in control of the Markdown files on your site? (please say yes)
This feature might be available in our Markdown renderer (I’d have to look), but it’s not exposed in Caddy, because it doesn’t seem like much of an actual risk. If you are allowing others to write arbitrary files to your server, I would be more concerned about that than the contents of Markdown files.
My intention was to, maybe, allow other people to get a folder where they can upload .md files which would be hosted on my site. After thinking about that for a bit it felt like too much of a hassle to deal with though.
Still, thanks for taking your time to try and help me.
Our markdown library is due for an upgrade soon (I think v2 will be stable before the end of year, maybe?) - we can revisit this then. In the meantime, I strongly, strongly recommend using Content-Security-Policy and sanitizing user input, especially if you’re letting them upload files that get executed in web browsers! 
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.