HTML posting? - eviltoast

Any way to create posts using original (not scraped) HTML? Easier to put together and looks better. If not, I’d sure like to see that happen.

  • ShunkW@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    I believe you can only use markdown. Allowing user input in HTML is incredibly dangerous unless you’re very, very careful about sanitizing it. I had to deal with this at a previous job and it’s a nightmare for security.

    • Antimoon51@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’m a newbie, but aren‘t there quite a few HTML Tags you can use in Markdown? Why aren‘t they considered dangerous? Or is it just a few tags that would be dangerous, that aren‘t supported in markdown?

      • ShunkW@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Markdown is interpreted and translated into HTML. There are tons of vulnerable tags. Even a simple img tag can be used for cross site scripting.

    • kopper [they/them]@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Lemmy already has to deal with untrusted HTML since that’s the “canonical” form of all ActivityPub Page/Note content.

      I believe it converts to markdown when it receives it (if no markdown source is transmitted alongside, e.g. for posts from vanilla Mastodon) and stores/serves markdown from it’s own API (to the webui and apps), so it wouldn’t be much use for OP but in theory they can use a modified Lemmy or a different hypothetical fedi platform that supports HTML and it should work Mostly Fine™ (granted Lemmy already has trouble federating with itself most of the time so that may not be the best user experience, but it can work)

      • ShunkW@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I didn’t know that it accepted and translated HTML to be honest. Makes me wonder if there are any vulnerabilities based on the translation process, or if you can break out of it. Hmm.