mirror of
https://github.com/laurent22/joplin.git
synced 2024-12-24 10:27:10 +02:00
Doc: Describe how to escape Markdown in coding style
This commit is contained in:
parent
a46648f1ee
commit
df9bfc7635
@ -196,6 +196,10 @@ As much as possible, avoid default parameters in **function definitions** and op
|
||||
|
||||
If you search for ["XSS" in the Joplin git log](https://github.com/laurent22/joplin/search?q=xss&type=commits) you'll find several security vulnerabilities that have been fixed over the year, and that happened in various places that are hard to predict. So we need to be careful with this and make sure we correctly escape user content.
|
||||
|
||||
We should do so even if we think we control the input or that it will always have a certain format. That may change in the future, or that could be exploited via another bug.
|
||||
|
||||
Finally, escaping data is often required to prevent markup code from breaking. For example quotes or angled brackets have to be escaped in HTML or else the markup is likely to break.
|
||||
|
||||
How you escape the data depends on where you are going to insert it so there's no single function that's going to cover all cases.
|
||||
|
||||
### To insert into a JS script
|
||||
@ -234,6 +238,18 @@ encodeURI('https://domain.com/path to a document.pdf');
|
||||
// 'https://domain.com/path%20to%20a%20document.pdf'
|
||||
```
|
||||
|
||||
### To insert into Markdown code
|
||||
|
||||
Use the provided escape functions in `lib/markdownUtils`:
|
||||
|
||||
- `escapeTableCell()` for tables
|
||||
- `escapeInlineCode()` for inline code
|
||||
- `escapeTitleText()`and `escapeLinkUrl()` for links:
|
||||
|
||||
```ts
|
||||
const markdown = `[${markdownUtils.escapeTitleText(linkTitle)}](${markdownUtils.escapeLinkUrl(linkUrl)})`;
|
||||
```
|
||||
|
||||
### Escape as late as possible
|
||||
|
||||
Ideally the application should only deal with raw, unencoded data, so it means data should be decoded and encoded at the application boundaries. Doing so means we avoid accidentally double-escaping data, or having to encode/decode within the app, which is error prone.
|
||||
|
Loading…
Reference in New Issue
Block a user