mirror of
https://github.com/flarum/core.git
synced 2025-07-25 10:41:24 +02:00
c42627b46d
After a morning of searching, it seems there is no PHP Markdown library that has built-in XSS/sanitization support. The recommended solution is to use HTMLPurifier. This actually works out OK, though, as it’s probably a good idea to enforce sanitization regardless of which formatters are enabled, and to not leave them with the responsibility of sanitization (it’s a big responsibility). Since we cache rendered posts, the slow speed of HTMLPurifier isn’t a concern. Note that HTMLPurifier requires a file to be loaded by Composer, but Studio does not yet support this, so for now I have included it manually.