Question: Way to securely include raw HTML code blocks?

[joshgoebel]

Say given the markdown:

Here is an HTML example:

```html
<h1>Hello World</h1>
```

In this case the < and > should be encoded to avoid the H1 tag from literally being injected directly into the persons website unintentionally. Is this supported or a configurable option? I know some might want to do this, but I think much of the time this is accidental and a big security issue. This has come up multiple times with Highlight.js and the security alert we issue when we detect HTML tags inside a code block (which we do not support by default because of all the related security issues).

Related:

• [Bug/Security]: Default config allows easy HTML injection into code blocks jekyll/jekyll#8903
• Detect HTML/JS injection attacks and warn users pro-actively highlightjs/highlight.js#2886

[gettalong]

So, running kramdown on the following snippet:

~~~
<h1>test</h1>
~~~

yields the following result:

<pre><code>&lt;h1&gt;test&lt;/h1&gt;
</code></pre>

As you can see the HTML tags are properly escaped.

Can you provide a standalone example that doesn't work for you?

[joshgoebel]

What about the exact snippet I posted, I'm not familiar with the ~~~ in your sample, what I see used everywhere is the backticks...? If escaping is on by default that's great...

My next question would be is there also a setting to disable it (that might be a culprit)? Are you aware of any special aspects about kramdown's use by Jekyll that would have an impact on this behavior?

IE, if someone TRULY wanted the injection (people sometimes say they do for highlighting purposes, etc), ie, exactly:

<pre><code>
<h1>test</h1>
</code></pre>

Is that possible (somehow) with kramdown or impossible?

[gettalong]

The backticks are used by the GFM parser extension, not by kramdown itself. The triple tildes are the original way of doing code blocks and should work everywhere where triple backticks work (like here in Github comments).

If you are using kramdown with Jekyll and it doesn't work in conjunction, you will need to ask your question there since this works fine with kramdown.

And yes, you can embed HTML blocks, see https://kramdown.gettalong.org/syntax.html#html-blocks

[joshgoebel]

If you are using kramdown with Jekyll and it doesn't work in conjunction, you will need to ask your question there since this works fine with kramdown.

I opened an issue there also. Could be I don't fully understand the scope of the problem yet.

And yes, you can embed HTML blocks, see https://kramdown.gettalong.org/syntax.html#html-blocks

Can you embed HTML blocks inside code [~~~] blocks though?

[gettalong]

No, not with a standard code block because that would negate the main reason for its existence.

What you can do is use a special syntax highlighter. If a syntax highlighter is used, the verbatim text of the code block is given to it and the result returned. So this way you could embed HTML blocks.

[joshgoebel]

Closing this. The user in question was trying to use both rouge and and Highlight.js and we were complaining loudly because of all the HTML we detected inside <pre> (placed there by rouge during it's own highlight pass).