Any way to create posts using original (not scraped) HTML? Easier to put together and looks better. If not, I’d sure like to see that happen.

  • @ShunkW
    link
    61 year ago

    I believe you can only use markdown. Allowing user input in HTML is incredibly dangerous unless you’re very, very careful about sanitizing it. I had to deal with this at a previous job and it’s a nightmare for security.

    • @Antimoon51
      link
      11 year ago

      I’m a newbie, but aren‘t there quite a few HTML Tags you can use in Markdown? Why aren‘t they considered dangerous? Or is it just a few tags that would be dangerous, that aren‘t supported in markdown?

      • @ShunkW
        link
        21 year ago

        Markdown is interpreted and translated into HTML. There are tons of vulnerable tags. Even a simple img tag can be used for cross site scripting.

    • kopper [they/them]
      link
      fedilink
      English
      1
      edit-2
      1 year ago

      Lemmy already has to deal with untrusted HTML since that’s the “canonical” form of all ActivityPub Page/Note content.

      I believe it converts to markdown when it receives it (if no markdown source is transmitted alongside, e.g. for posts from vanilla Mastodon) and stores/serves markdown from it’s own API (to the webui and apps), so it wouldn’t be much use for OP but in theory they can use a modified Lemmy or a different hypothetical fedi platform that supports HTML and it should work Mostly Fine™ (granted Lemmy already has trouble federating with itself most of the time so that may not be the best user experience, but it can work)

      • @ShunkW
        link
        11 year ago

        I didn’t know that it accepted and translated HTML to be honest. Makes me wonder if there are any vulnerabilities based on the translation process, or if you can break out of it. Hmm.