Showdown HTML Escape plugin



This plugin for Showdown prevents
the use of arbitrary HTML and allows only the specific Markdown syntax.

This is useful if you want to allow your users to format text using the Markdown
syntax but you do not want them to directly enter HTML.

Installation

$3

bower install showdown-htmlescape

$3

npm install showdown-htmlescape

$3

You can also download the latest release zip or tarball and include the file dist/showdown-htmlescape.js directly in your project.

Enabling the extension

$3

You have to include both Showdown and the Showdown HTML Escape extension in your
project:

``HTML


`

After including the extension in your application, you just need to enable it
for your Showdown converter:

`JavaScript
var converter = new showdown.Converter({extensions: ['htmlescape']});
`

$3

`JavaScript
var showdown = require('showdown'),
showdownHtmlEscape = require('showdown-htmlescape');
var converter = new showdown.Converter({ extensions: [showdownHtmlEscape] });
`

Usage example

`JavaScript
var converter = new showdown.Converter({extensions: ['htmlescape']}),
input = 'Allows Markdown markup, but does not allow HTML markup',
html = converter.makeHtml(input);
console.log(html);
`

This should output:

`HTML


Allows Markdown markup, but does not allow <b>HTML markup</b>


``

Notes on security

This plugin is not meant to protect you from XSS attacks, it justs limits
the syntax available to the user to the Markdown specific syntax. If security
and XSS prevention is important for your use case you still must filter the
HTML generated by Showdown.
See Markdown's XSS Vulnerability (and how to mitigate it)
for details.

License

Showdown HTML Escape Copyright © 2015-2016 Philipp Wolfer

Published under the MIT license, see LICENSE.txt for details.