Disallowed Raw HTML Extension
(Note: this extension is included by default within the GFM extension)
The DisallowedRawHtmlExtension
automatically filters certain HTML tags when rendering output, such as:
<title>
<textarea>
<style>
<xmp>
<iframe>
<noembed>
<noframes>
<script>
<plaintext>
Filtering is done by replacing the leading <
with the entity <
.
This is required by the GFM spec because these particular tags could cause undesirable side-effects if a malicious user tries to introduce them.
All other HTML tags are left untouched by this extension.
Installation
This extension is bundled with league/commonmark
. This library can be installed via Composer:
composer require league/commonmark
See the installation section for more details.
Usage
Configure your Environment
as usual and simply add the DisallowedRawHtmlExtension
provided by this package:
use League\CommonMark\Environment;
use League\CommonMark\Extension\DisallowedRawHtml\DisallowedRawHtmlExtension;
use League\CommonMark\MarkdownConverter;
// Obtain a pre-configured Environment with all the CommonMark parsers/renderers ready-to-go
$environment = Environment::createCommonMarkEnvironment();
// Add this extension
$environment->addExtension(new DisallowedRawHtmlExtension());
// Set your configuration if needed
$environment->mergeConfig([
// ...
]);
// Instantiate the converter engine and start converting some Markdown!
$converter = new MarkdownConverter($environment);
echo $converter->convertToHtml('I cannot change the page <title>anymore</title>');