Disable HTML Sanitzation?


#1

I’m editing blog posts with StackEdit and it’s great!

However I would like to embed Tweets, Github gists, and Amazon widgets, and they all rely on JavaScript.

I assume that they are stripped out by the HTML sanitizer in StackEdit. I couldn’t find any way to disable this in the UI.

I searched the forums and it appears that others have the same issue:

Although I think this can’t be done for security reasons, it seems that jsfiddle and jsbin and similar sites support running JavaScript?

Also, the markdown-it demo supports JavaScript if you check the html box, although yes it seems very insecure :slight_smile:

https://markdown-it.github.io/#md3={"source"%3A"\n<script>document.title%3D\"I%20CHANGED%20THE%20TITLE%20OF%20THIS%20PAGE\"%3B<%2Fscript>\n\n\n\n"%2C"defaults"%3A{"html"%3Atrue%2C"xhtmlOut"%3Afalse%2C"breaks"%3Afalse%2C"langPrefix"%3A"language-"%2C"linkify"%3Atrue%2C"typographer"%3Atrue%2C"_highlight"%3Atrue%2C"_strict"%3Afalse%2C"_view"%3A"html"}}


But in any case, even if the StackEdit service can’t support it, is it possible to remove HTML sanitization by forking the source? I noticed this part of the source that calls an HTML sanitizer.

I did not try building StackEdit yet, but maybe removing that line and rebuilding it will enable JS on a self-hosted version?