From 8624ed9bd3c38c1907070a3b7de244fd487976c4 Mon Sep 17 00:00:00 2001 From: fiddlosopher Date: Sat, 22 Mar 2008 20:41:56 +0000 Subject: The '--sanitize-html' option now examines URIs in markdown links and images, and in HTML href and src attributes. If the URI scheme is not on a whitelist of safe schemes, it is rejected. The main point is to prevent cross-site scripting attacks using 'javascript:' URIs. See http://www.mail-archive.com/markdown-discuss@six.pairlist.net/msg01186.html and http://ha.ckers.org/xss.html. Resolves Issue #62. git-svn-id: https://pandoc.googlecode.com/svn/trunk@1262 788f1e2b-df1e-0410-8736-df70ead52e1b --- man/man1/html2markdown.1.md | 4 ---- man/man1/pandoc.1.md | 3 ++- 2 files changed, 2 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/man1/html2markdown.1.md b/man/man1/html2markdown.1.md index 1db37cf47..905bdd0d0 100644 --- a/man/man1/html2markdown.1.md +++ b/man/man1/html2markdown.1.md @@ -51,10 +51,6 @@ a complete list. The following options are most relevant: \--no-wrap : Disable text wrapping in output. (Default is to wrap text.) -\--sanitize-html -: Sanitizes HTML using a whitelist. Unsafe tags are replaced by HTML - comments; unsafe attributes are omitted. - -H *FILE*, \--include-in-header=*FILE* : Include contents of *FILE* at the end of the header. Implies `-s`. diff --git a/man/man1/pandoc.1.md b/man/man1/pandoc.1.md index 5bf734d5a..e3ca8e591 100644 --- a/man/man1/pandoc.1.md +++ b/man/man1/pandoc.1.md @@ -128,7 +128,8 @@ to Pandoc. Or use `html2markdown`(1), a wrapper around `pandoc`. \--sanitize-html : Sanitizes HTML (in markdown or HTML input) using a whitelist. Unsafe tags are replaced by HTML comments; unsafe attributes - are omitted. + are omitted. URIs in links and images are also checked against a + whitelist of URI schemes. \--toc, \--table-of-contents : Include an automatically generated table of contents (HTML, markdown, -- cgit v1.2.3