Tag: security

Pacharapol Withayasakpunt Pacharapol Withayasakpunt
Wed, April 29, 2020

You can use any markdown implementation, including MarkdownIt, but first you have to make it insecure first, by allowing HTML.

const markdownIt = MarkdownIt({
  html: true
})

Then, use DOMPurify, but allow <iframe> tag, including related attributes.

Then, sanitize insecure iframes later.

DOMPurify.addHook('uponSanitizeElement', (node, data) => {
  if (data.tagName === 'iframe') {
    const src = node.getAttribute('src') || ''
    if (!src.startsWith('https://www.youtube.com/embed/')) {
      return node.parentNode?.removeChild(node)
    }
  }
})