From 8624ed9bd3c38c1907070a3b7de244fd487976c4 Mon Sep 17 00:00:00 2001
From: fiddlosopher <fiddlosopher@788f1e2b-df1e-0410-8736-df70ead52e1b>
Date: Sat, 22 Mar 2008 20:41:56 +0000
Subject: The '--sanitize-html' option now examines URIs in markdown links and
 images, and in HTML href and src attributes.  If the URI scheme is not on a
 whitelist of safe schemes, it is rejected.  The main point is to prevent
 cross-site scripting attacks using 'javascript:' URIs. See
 http://www.mail-archive.com/markdown-discuss@six.pairlist.net/msg01186.html
 and http://ha.ckers.org/xss.html.  Resolves Issue #62.

git-svn-id: https://pandoc.googlecode.com/svn/trunk@1262 788f1e2b-df1e-0410-8736-df70ead52e1b
---
 man/man1/pandoc.1.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'man/man1/pandoc.1.md')

diff --git a/man/man1/pandoc.1.md b/man/man1/pandoc.1.md
index 5bf734d5a..e3ca8e591 100644
--- a/man/man1/pandoc.1.md
+++ b/man/man1/pandoc.1.md
@@ -128,7 +128,8 @@ to Pandoc.  Or use `html2markdown`(1), a wrapper around `pandoc`.
 \--sanitize-html
 :   Sanitizes HTML (in markdown or HTML input) using a whitelist.
     Unsafe tags are replaced by HTML comments; unsafe attributes
-    are omitted.
+    are omitted.  URIs in links and images are also checked against a
+    whitelist of URI schemes.
 
 \--toc, \--table-of-contents
 :   Include an automatically generated table of contents (HTML, markdown,
-- 
cgit v1.2.3