I’m editing blog posts with StackEdit and it’s great!
However I would like to embed Tweets, Github gists, and Amazon widgets, and they all rely on JavaScript.
I assume that they are stripped out by the HTML sanitizer in StackEdit. I couldn’t find any way to disable this in the UI.
I searched the forums and it appears that others have the same issue:
Is it possible (in v5) to enable support for Markdown parsing within HTML blocks, either automatically or using Markdown Extra’s syntax like this?
<div markdown="1" class="my-css-class">
Hello world. I _love_ using StackEdit! It would also be nice to mix and match Markdown and HTML <em>within the same block</em>.
</div>
Although I think this can’t be done for security reasons, it seems that jsfiddle and jsbin and similar sites support running JavaScript?
Also, the markdown-it demo supports JavaScript if you check the html box, although yes it seems very insecure
https://markdown-it.github.io/#md3={"source"%3A"\n<script>document.title%3D\"I%20CHANGED%20THE%20TITLE%20OF%20THIS%20PAGE\"%3B<%2Fscript>\n\n\n\n"%2C"defaults"%3A{"html"%3Atrue%2C"xhtmlOut"%3Afalse%2C"breaks"%3Afalse%2C"langPrefix"%3A"language-"%2C"linkify"%3Atrue%2C"typographer"%3Atrue%2C"_highlight"%3Atrue%2C"_strict"%3Afalse%2C"_view"%3A"html"}}
But in any case, even if the StackEdit service can’t support it, is it possible to remove HTML sanitization by forking the source? I noticed this part of the source that calls an HTML sanitizer.
insertBeforeTocElt = insertBeforeTocElt.nextSibling;
} else if (item[0] === -1) {
sectionDescIdx += 1;
sectionPreviewElt = insertBeforePreviewElt;
insertBeforePreviewElt = insertBeforePreviewElt.nextSibling;
this.previewElt.removeChild(sectionPreviewElt);
sectionTocElt = insertBeforeTocElt;
insertBeforeTocElt = insertBeforeTocElt.nextSibling;
this.tocElt.removeChild(sectionTocElt);
} else if (item[0] === 1) {
const html = htmlSanitizer.sanitizeHtml(this.conversionCtx.htmlSectionList[sectionIdx]);
sectionIdx += 1;
// Create preview section element
sectionPreviewElt = document.createElement('div');
sectionPreviewElt.className = 'cl-preview-section';
sectionPreviewElt.innerHTML = html;
if (insertBeforePreviewElt) {
this.previewElt.insertBefore(sectionPreviewElt, insertBeforePreviewElt);
} else {
this.previewElt.appendChild(sectionPreviewElt);
I did not try building StackEdit yet, but maybe removing that line and rebuilding it will enable JS on a self-hosted version?
