Does safeString filter showdown output?

Hasib_Mahmud · July 20, 2014, 5:36am

From Tom Dale’s video tutorial, I’ve found something like this:

Ember.Handlebars.helper('markdown', function(input) {
var showdown = new Showdown.converter();

if (typeof input == 'undefined')  return;

return new Ember.Handlebars.SafeString(showdown.makeHtml(input));
});

I think SafeString does not filter the output from the showdownjs. Showdown is allowing javascript, css too.

I wrote the following code on the textarea field:

<button onclick="alert('Hello world!');"></button>

and the button triggered the alert.

Topic		Replies	Views
Fixing htmlSafe and isHTMLSafe deprecation Ember CLI	2	893	February 21, 2021
How to bind a javascript href and bypass XSS unsafe protection?	1	2332	March 29, 2016
Ember-CLI: Barcode scanning Ember CLI	2	1578	February 24, 2015
Server Side Error Handling	1	1980	August 12, 2013
Unhandledrejection in ember General	4	886	May 29, 2020

Does safeString filter showdown output?

Related Topics