Does safeString filter showdown output?

Hasib_Mahmud · July 20, 2014, 5:36am

From Tom Dale’s video tutorial, I’ve found something like this:

Ember.Handlebars.helper('markdown', function(input) {
var showdown = new Showdown.converter();

if (typeof input == 'undefined')  return;

return new Ember.Handlebars.SafeString(showdown.makeHtml(input));
});

I think SafeString does not filter the output from the showdownjs. Showdown is allowing javascript, css too.

I wrote the following code on the textarea field:

<button onclick="alert('Hello world!');"></button>

and the button triggered the alert.

Topic		Replies	Views
Not vulnerable to XSS fast markdown library	4	2229	June 26, 2015
Safestring in HTMLbars	8	9033	July 14, 2015
Best way to convert newlines in data to HTML BR elements?	3	7753	October 23, 2014
Ember: Ember.Handlebars.SafeString not working on production? Ember Data	1	1596	December 28, 2016
Binding style attributes warning still popping up with safe string	12	7104	December 30, 2015

Does safeString filter showdown output?

Related topics