Marked does not sanitize HTML

[almereyda]

The documentation of the marked package, which was upgraded in course of #14, contains a big warning at

• https://github.com/markedjs/marked#warning--marked-does-not-sanitize-the-output-html-please-use-a-sanitize-library-like-dompurify-recommended-sanitize-html-or-insane-on-the-output-html-
  about

Warning: 🚨 Marked does not sanitize the output HTML. Please use a sanitize library, like DOMPurify (recommended), sanitize-html or insane on the output HTML! 🚨

What does this even mean, and why is it neccessary?

[anderspitman]

Basically this can be a problem if you let users upload HTML that will then be displayed on your site. For example, imagine a forum that lets you use HTML for comments. If you allow any HTML tags, users could upload JavaScript emedded in a <script> tag and do nefarious things. Sanitizers are meant to filter out any dangerous HTML.

Since we're using any untrusted HTML, this shouldn't be a problem for us.

[almereyda]

Thank you for the explanation! The reasoning makes sense to me. And remotely reminds me of this conversation lately: https://graz.social/@marmarper/107824213214818963

[anderspitman]

I have long felt that we need to separate the "document web" from the "app web". Web apps are great and have there place, but you shouldn't need a full web browser to read someone's blog or wikipedia.