Markdown converts embed/iframe HTML into non-usable HTML

Question

This:

<embed type="text/html" src="https://example.com/" width="100%" height="100%">

gets converted into this (when rendered on the page):

<p> &lt;embed type="text/html" src="https://example.com/" width="100%" height="100%"&gt; </p>

making the embed tag unusable. Is there are any way to stop this from happening? The same happens when you use an iframe tag. I expect the page "example.com" to be rendered.

I'm using Django for the project and have the following displaying the Markdown:

{{ page.text | escape | markdown | safe }}

with page.text being the variable holding the text.

The version of Markdown I'm using is 3.2.

It works just fine for me, both using the command-line interface and the programmatic interface. Please [edit] your question to show us how you're trying to convert the file. — ChrisGPT was on strike, Jun 18 '20 at 23:45
@Chris I've now edited the question to include code which displays the markdown, however, there isn't anything more to add. Django is the framework being using for the system and the extra code added is what displays the information — UnknownPerson, Jun 19 '20 at 01:07
Ah, you didn't mention Django before. What value does `page.text` have? Is it that whole `embed` tag? Why are you using [the `escape` filter](https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#escape)? Its whole point is to escape HTML, e.g. to convert `<` to `<`, which doesn't make much sense if you're then using the `safe` filter. — ChrisGPT was on strike, Jun 19 '20 at 01:14
If this question gets reopened I'll add a proper answer, but this ☝️ is the issue. — ChrisGPT was on strike, Jun 19 '20 at 01:16

score 0 · Accepted Answer · edited Jun 20 '20 at 09:12

I'm using Django for the project and have the following displaying the Markdown:
{{ page.text | escape | markdown | safe }}

Assuming page.text contains the <embed> you show in your question, your problem is your use of the escape filter.

Its job is to escape HTML code, which includes converting < to < and > to > as you are seeing. Once that conversion has been made, neither the markdown nor the safe filter will change it back.

It doesn't make a lot of sense to use escape and then safe, as safe simply prevents autoescaping.

The right solution depends on the source of your page.text. If you trust that source, you can take escape out of your template. Note that this does open the door for security issues from malicious users or accidental misuse, e.g. by cross-site scripting.

If you don't trust the source, you have two main options:

Use escape and accept that any HTML content contained in page.text won't work.
Skip escape, but run your HTML through a more granular sanitizer after the Markdown step, similarly to what GitHub does. See also Best practice for allowing Markdown in Python, while preventing XSS attacks?

Markdown converts embed/iframe HTML into non-usable HTML

1 Answers1