Does safeString filter showdown output?


#1

From Tom Dale’s video tutorial, I’ve found something like this:

Ember.Handlebars.helper('markdown', function(input) {
var showdown = new Showdown.converter();

if (typeof input == 'undefined')  return;

return new Ember.Handlebars.SafeString(showdown.makeHtml(input));
});

I think SafeString does not filter the output from the showdownjs. Showdown is allowing javascript, css too.

I wrote the following code on the textarea field:

<button onclick="alert('Hello world!');"></button>

and the button triggered the alert.