Documentation Core Tools Markdown To Html

Security Considerations

When converting Markdown to HTML, security is paramount. The Markdown to HTML Converter includes built-in security features to protect against common web vulnerabilities.

Built-in Security Features

HTML Sanitization

The converter automatically sanitizes HTML output to remove potentially dangerous content:

What Gets Removed

Script Tags: All <script> elements and JavaScript code
Event Handlers: Attributes like onclick, onload, onerror
Iframe Elements: Embedded content that could be malicious
Object/Embed Tags: Flash and other plugin content
Form Elements: Input fields that could be used for attacks

Example Sanitization

This is safe text with <script>alert('XSS')</script> malicious code.

Output:

<p>This is safe text with malicious code.</p>

XSS Protection

Cross-Site Scripting (XSS) attacks are prevented through:

Content Filtering: Dangerous HTML elements are stripped
Attribute Validation: Only safe attributes are preserved
URL Validation: Links are checked for malicious protocols

Safe HTML Elements

These elements are preserved and considered safe:

Text Formatting

<strong>, <em>, <code>, <pre>
<del>, <ins>, <mark>

Structure Elements

<div>, <span>, <p>, <br>
<h1> through <h6>

Lists

<ul>, <ol>, <li>

Links and Images

<a> (with href validation)
<img> (with src validation)

Security Best Practices

1. Always Enable Sanitization

Recommended:

const options = {
  sanitize: true, // Always enable for user content
};

Not Recommended:

const options = {
  sanitize: false, // Only for trusted content
};

2. Validate Input Sources

Before converting Markdown, consider the source:

Trusted Sources (Sanitization Optional)

Your own content
Verified documentation
Known safe repositories

Untrusted Sources (Sanitization Required)

User-generated content
External documentation
Unknown or public sources

3. Content Validation

Check for Suspicious Patterns

<!-- These patterns should be flagged -->
<script>...</script>
<iframe src="..."></iframe>
<a href="javascript:...">...</a>
<img src="..." onerror="...">

Safe Patterns

<!-- These are generally safe -->

**Bold text**
_Italic text_
[Safe link](https://example.com)
![Image](image.jpg)

Advanced Security Options

Custom Sanitization Rules

For advanced users, you can implement custom sanitization:

const customSanitize = (html) => {
  // Remove specific elements
  html = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');

  // Remove event handlers
  html = html.replace(/on\w+="[^"]*"/gi, '');

  // Validate URLs
  html = html.replace(/href="(?!https?:\/\/)[^"]*"/gi, 'href="#"');

  return html;
};

URL Validation

The converter validates URLs to prevent malicious links:

Allowed Protocols

http:// and https://
mailto: for email addresses
tel: for phone numbers
Relative URLs (/path, ../path)

Blocked Protocols

javascript: - Prevents XSS attacks
data: - Prevents data URI attacks
vbscript: - Prevents VBScript execution

Content Security Policy (CSP)

When using the converted HTML, implement proper CSP headers:

Recommended CSP

Content-Security-Policy:
    default-src 'self';
    script-src 'self';
    style-src 'self' 'unsafe-inline';
    img-src 'self' data: https:;
    connect-src 'self';

CSP for User Content

Content-Security-Policy:
    default-src 'none';
    script-src 'none';
    style-src 'self' 'unsafe-inline';
    img-src 'self' data: https:;
    base-uri 'none';
    form-action 'none';

Common Security Threats

1. Cross-Site Scripting (XSS)

Threat: Malicious scripts injected into HTML Protection: HTML sanitization removes script tags and event handlers

2. Clickjacking

Threat: Malicious iframes overlaying content Protection: Iframe elements are removed during sanitization

3. Data Exfiltration

Threat: Malicious links stealing data Protection: URL validation prevents dangerous protocols

4. Content Injection

Threat: Malicious HTML injected into content Protection: Only safe HTML elements are preserved

Security Checklist

Before deploying converted HTML:

HTML sanitization is enabled
Input content is validated
URLs are properly validated
CSP headers are implemented
Regular security updates are applied
Content is tested for vulnerabilities

Testing Security

Manual Testing

Try injecting script tags
Test with malicious URLs
Check for event handlers
Verify iframe removal

Automated Testing

const testCases = [
  '<script>alert("XSS")</script>',
  '<img src="x" onerror="alert(1)">',
  '<a href="javascript:alert(1)">Click</a>',
  '<iframe src="malicious.com"></iframe>',
];

testCases.forEach((testCase) => {
  const result = convertMarkdown(testCase, { sanitize: true });
  console.assert(!result.includes('<script>'), 'Script tag not removed');
  console.assert(!result.includes('onerror'), 'Event handler not removed');
});

Reporting Security Issues

If you discover a security vulnerability:

Do not create a public issue
Email security details to the maintainers
Include steps to reproduce
Provide your contact information
Allow time for a fix before disclosure

Security Updates

The converter is regularly updated to address:

New security vulnerabilities
Improved sanitization rules
Enhanced validation methods
Updated security best practices

Compliance and Standards

The converter follows security standards:

OWASP Guidelines: Web application security
CSP Standards: Content Security Policy
HTML5 Security: Modern web security practices
XSS Prevention: Cross-site scripting protection

Next Steps

Learn more about:

API Reference for security options
Examples for secure implementations
FAQ for common security questions

Was this page helpful?

On this page

Built-in Security Features Security Best Practices Advanced Security Options Content Security Policy (CSP)Common Security Threats Security Checklist Testing Security Reporting Security Issues Security Updates Compliance and Standards Next Steps