How secure is this?

[ncovercash]

What potential exploits are there? Does this library sanitize input?

[cebe]

Does this library sanitize input?

It does not, HTML is allowed to be part of markdown, if you need to sanitize the output you need to pass it through a filter like for example HTML Purifier.

[ncovercash]

Alright, thankd

[adaur]

What's the point of setMarkupEscaped then?

[whimsicaldreamer]

setMarkupEscaped function is used to escape all the html entities for preventing XSS. But according to my issue the problem I was facing was in my DB I already had sanitized input which wasn't converting to html markup during output.
It's better to use this function instead of htmlspecialchars(which I was using) for sanitizing as this even escapes XSS in links.

[ncovercash]

alright, thanks

[adaur]

Applying this works great

https://github.com/erusev/parsedown/pull/276/files

[whimsicaldreamer]

@adaur you are saying to use this instead of setmarkupescaped?

[whimsicaldreamer]

Would it solve the issue at #421

[adaur]

Not instead, in addition to. The new safeLinksEnabled is enabled by default using this PR.

I don't know for your issue, since I use a very simple function to replace smilies like :) to their image, after I've called the text function, like this:

function parse_message($text) {
    return $this->do_smilies($this->text($text));
}

[aidantwoods]

Check out ->setSafeMode(true) in the new release :) (some discussion in #495)