v7.5.0
Minor Changes
-
62a16f3: Allow modifying HTML attribute sanitization when
options.sanitizer
is passed by the composer.By default a lightweight URL sanitizer function is provided to avoid common attack vectors that might be placed into the
href
of an anchor tag, for example. The sanitizer receives the input, the HTML tag being targeted, and the attribute name. The original function is available as a library export calledsanitizer
.This can be overridden and replaced with a custom sanitizer if desired via
options.sanitizer
:// sanitizer in this situation would receive: // ('javascript:alert("foo")', 'a', 'href') <Markdown options={{ sanitizer: (value, tag, attribute) => value }}> {`[foo](javascript:alert("foo"))`} </Markdown> // or compiler('[foo](javascript:alert("foo"))', { sanitizer: (value, tag, attribute) => value, })
Patch Changes
- 553a175: Replace RuleType enum with an object