Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

建议给出HTML禁止或允许使用的标签设置,是否允许JS等设置 #70

Closed
wakaryry opened this issue Apr 16, 2015 · 8 comments

Comments

@wakaryry
Copy link

很不错的工作。
个人建议增加禁止或者允许某些HTML标签的设置。让使用者自己去配置。
还有不应该禁止掉JS吗?

@pandao
Copy link
Owner

pandao commented Apr 16, 2015

过滤指定HTML标签解析示例:

{
    htmlDecode : "style,script,iframe" // 指定你想禁止解析的HTML标签
    // htmlDecode : true                      // 开启 / 解析所有HTML标签
    // htmlDecode : false                     // 禁用HTML标签解析
}

https://pandao.github.io/editor.md/examples/html-tags-decode.html

@wakaryry
Copy link
Author

我明白你的意思了
https://pandao.github.io/editor.md/examples/full.html
我想你应该还要禁止掉一些属性和事件
不然htmlDecode : "style,script,iframe"并不会满足要求

<p style="color:red;text-align:center;border:3px solid #000;height:30px;line-height:24px;" onclick="javascript:alert('hi');">nihao ya </p>
<i class="fa fa-circle"></i>
<style>body{background:red;}</style>

@pandao
Copy link
Owner

pandao commented Apr 16, 2015

@wakaryry 嗯,谢谢你的建议,尤其是关于禁止事件。

@wakaryry
Copy link
Author

非常不错的东西
迫不及待等着使用

@pandao
Copy link
Owner

pandao commented Apr 21, 2015

@wakaryry @v1.4.2 已支持过滤HTML标签的属性和事件。

@pandao pandao closed this as completed Apr 21, 2015
@wakaryry
Copy link
Author

@pandao Nice

@shaginblog
Copy link

这里禁止html标签指的是预览部分html标签么?还是提交表单的时候markdown内容里的html标签也会被过滤么?

@pandao
Copy link
Owner

pandao commented May 9, 2015

@9v-kz 是指解析和预览的HTML的标签及属性。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants