The '--sanitize-html' option now examines URIs in markdown links

and images, and in HTML href and src attributes. If the URI scheme is not on a whitelist of safe schemes, it is rejected. The main point is to prevent cross-site scripting attacks using 'javascript:' URIs. See http://www.mail-archive.com/markdown-discuss@six.pairlist.net/msg01186.html and http://ha.ckers.org/xss.html. Resolves Issue #62. git-svn-id: https://pandoc.googlecode.com/svn/trunk@1262 788f1e2b-df1e-0410-8736-df70ead52e1b
author: fiddlosopher <fiddlosopher@788f1e2b-df1e-0410-8736-df70ead52e1b> 2008-03-22 20:41:56 +0000
committer: fiddlosopher <fiddlosopher@788f1e2b-df1e-0410-8736-df70ead52e1b> 2008-03-22 20:41:56 +0000
commit: 8624ed9bd3c38c1907070a3b7de244fd487976c4 (patch)
tree: a1bfab4317a80976768c31d65b7b3abf873192a9 /man/man1/pandoc.1.md
parent: 4988441f3c44d8b80712aec8eb3359a3a584e669 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/man/man1/pandoc.1.md b/man/man1/pandoc.1.md
index 5bf734d5a..e3ca8e591 100644
--- a/man/man1/pandoc.1.md
+++ b/man/man1/pandoc.1.md
@@ -128,7 +128,8 @@ to Pandoc.  Or use `html2markdown`(1), a wrapper around `pandoc`.
 \--sanitize-html
 :   Sanitizes HTML (in markdown or HTML input) using a whitelist.
     Unsafe tags are replaced by HTML comments; unsafe attributes
-    are omitted.
+    are omitted.  URIs in links and images are also checked against a
+    whitelist of URI schemes.
 
 \--toc, \--table-of-contents
 :   Include an automatically generated table of contents (HTML, markdown,
author	fiddlosopher <fiddlosopher@788f1e2b-df1e-0410-8736-df70ead52e1b>	2008-03-22 20:41:56 +0000
committer	fiddlosopher <fiddlosopher@788f1e2b-df1e-0410-8736-df70ead52e1b>	2008-03-22 20:41:56 +0000
commit	8624ed9bd3c38c1907070a3b7de244fd487976c4 (patch)
tree	a1bfab4317a80976768c31d65b7b3abf873192a9 /man/man1/pandoc.1.md
parent	4988441f3c44d8b80712aec8eb3359a3a584e669 (diff)