Detect HTML/JS injection attacks and warn users pro-actively

Is your request related to a specific problem you’re having?

https://github.com/highlightjs/highlight.js/issues/2884 https://github.com/ccampbell/rainbow/issues/249

This comes up again and again (though thankfully not TOO often). Beginners are VERY confused about this whole HTML escaping thing.

The solution you’d prefer / feature you’d like to see added…

While we can’t do anything smart about this yet (because we unfortunately allow HTML inside code blocks for “clever” users) I’d like this to change with v11. With v11 we should drop this HTML pass-thru behavior and move it to a plugin (making it very much opt-in). The default behavior should be that HTML is silently dropped and I’d even consider adding some sort of error:

[code block]
WARNING.
Are you missing a bunch of HTML code you expected to see here? 
Your HTML wasn't properly escaped and that can lead to serious
security issues. _Learn More_

Properly escape your code and the highlighting you expect will kick in.
[/code block]

This would of course be a breaking change so we’d need to wait until v11. For 95% of users I can’t see the downside to this and it seems we could potentially educate and prevent a lot of harm. Someone wanting the HTML to pass thru would install a plug-in and thus change the behavior, get the old behavior back, etc.

Any alternative solutions you considered…

Silent dropping but no error… but that just leads to support issues… I suppose we could log the error to the console vs actually showing it on the webpage.