From ad62bf5a6fc25052949f4ebba29375363045a009 Mon Sep 17 00:00:00 2001
From: Aidan Woods <aidantwoods@gmail.com>
Date: Wed, 28 Feb 2018 17:01:31 +0000
Subject: [PATCH 1/4] Talk about safe mode in the README

---
 README.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 76b6905..68f216e 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,20 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
 
 ### Security
 
-Parsedown does not sanitize the HTML that it generates. When you deal with untrusted content (ex: user comments) you should also use a HTML sanitizer like [HTML Purifier](http://htmlpurifier.org/).
+Parsedown is capable of escaping user-input within the HTML that it generates.
+Additionally Parsedown can attempt to sanitize additional scriping vectors (such
+as scripting link destinations). To tell Parsedown that it is processing untrusted
+user input, use the following:
+```php
+$parsedown = new Parsedown;
+$parsedown->setSafeMode(true);
+```
+
+It is recommended that when you deal with untrusted content (ex: user comments)
+you should employ defense-in-depth measures, like making use of a HTML sanitizer
+that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
+Additionally, you should strongly consider 
+[deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/).
 
 ### Questions
 

From 90439ef882500d98f581e725833bec370ece6bb2 Mon Sep 17 00:00:00 2001
From: Aidan Woods <aidantwoods@gmail.com>
Date: Thu, 1 Mar 2018 18:44:11 +0000
Subject: [PATCH 2/4] Rewrite section

---
 README.md | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 68f216e..9bc3657 100644
--- a/README.md
+++ b/README.md
@@ -39,19 +39,37 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
 ### Security
 
 Parsedown is capable of escaping user-input within the HTML that it generates.
-Additionally Parsedown can attempt to sanitize additional scriping vectors (such
-as scripting link destinations). To tell Parsedown that it is processing untrusted
-user input, use the following:
+Additionally Parsedown will apply sanitisation to additional scripting vectors (such
+as scripting link destinations) that are introduced by the markdown syntax itself.
+To tell Parsedown that it is processing untrusted user-input, use the following:
 ```php
 $parsedown = new Parsedown;
 $parsedown->setSafeMode(true);
 ```
 
-It is recommended that when you deal with untrusted content (ex: user comments)
-you should employ defense-in-depth measures, like making use of a HTML sanitizer
+If instead, you wish to allow HTML within untrusted user input, but still want
+output to be free from XSS it is recommended that you make use of a HTML sanitiser
 that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
-Additionally, you should strongly consider 
-[deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/).
+
+In both cases you should strongly consider employing defence-in-depth measures, 
+like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/)
+(making use of browser security feature) so that your page is likely to be safe even if an
+attacker finds a vulnerability in one of the first lines of defence above.
+
+#### Security of Parsedown Extensions
+
+Safe mode does not necessarily yield safe results when using extensions to Parsedown. Extensions should be evaluated on their own to determine their specific safety against XSS.
+
+### Escaping HTML
+> ⚠️  **WARNING:** This method isn't safe from XSS!
+
+If you wish to escape HTML **in trusted input**, you can use the following:
+```php
+$parsedown = new Parsedown;
+$parsedown->setMarkupEscaped(true);
+```
+
+Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`.
 
 ### Questions
 

From 9b1f54b9d3bbe45b5a204a3a3c731fb5dccca695 Mon Sep 17 00:00:00 2001
From: Aidan Woods <aidantwoods@gmail.com>
Date: Thu, 1 Mar 2018 18:45:38 +0000
Subject: [PATCH 3/4] Lets be consistent with hyphenation

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9bc3657..b67a886 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ $parsedown = new Parsedown;
 $parsedown->setSafeMode(true);
 ```
 
-If instead, you wish to allow HTML within untrusted user input, but still want
+If instead, you wish to allow HTML within untrusted user-input, but still want
 output to be free from XSS it is recommended that you make use of a HTML sanitiser
 that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
 

From f3068df45a80f98e96666682423b025c51cf301d Mon Sep 17 00:00:00 2001
From: Aidan Woods <aidantwoods@gmail.com>
Date: Thu, 1 Mar 2018 19:54:58 +0000
Subject: [PATCH 4/4] Remove extra line breaks

---
 README.md | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index b67a886..e950bd2 100644
--- a/README.md
+++ b/README.md
@@ -38,23 +38,17 @@ More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [t
 
 ### Security
 
-Parsedown is capable of escaping user-input within the HTML that it generates.
-Additionally Parsedown will apply sanitisation to additional scripting vectors (such
-as scripting link destinations) that are introduced by the markdown syntax itself.
+Parsedown is capable of escaping user-input within the HTML that it generates. Additionally Parsedown will apply sanitisation to additional scripting vectors (such as scripting link destinations) that are introduced by the markdown syntax itself.
+
 To tell Parsedown that it is processing untrusted user-input, use the following:
 ```php
 $parsedown = new Parsedown;
 $parsedown->setSafeMode(true);
 ```
 
-If instead, you wish to allow HTML within untrusted user-input, but still want
-output to be free from XSS it is recommended that you make use of a HTML sanitiser
-that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
+If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
 
-In both cases you should strongly consider employing defence-in-depth measures, 
-like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/)
-(making use of browser security feature) so that your page is likely to be safe even if an
-attacker finds a vulnerability in one of the first lines of defence above.
+In both cases you should strongly consider employing defence-in-depth measures, like [deploying a Content-Secuity-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/) (making use of browser security feature) so that your page is likely to be safe even if an attacker finds a vulnerability in one of the first lines of defence above.
 
 #### Security of Parsedown Extensions