use remarkable instead of remarked for previewing to prevent XSS content

[wisetwo]

When the input string contains html content, 'marked' would simply render them as actual html entities, thus bring wired previewing effect. For example, when we input strings like <textarea>123</textarea>, preview would show an actual textarea input, script tag will also be rendered as well. If the content is user generated, it's likely to make the users feel that there could be a XSS vulnerability.

Should we change it with 'remarkable' with html option set to false to avoid this?

[sparksuite-bot]

Thanks for helping to contribute to SimpleMDE. However, it looks like you haven't read the Contributing Guidelines yet because you compared this PR against the master branch.

The most important guideline for contributing is to compare against the development branch when creating a pull request.

First, read the Contributing Guidelines. Then you can submit a new PR that compares your commits against the development branch. This PR will now be closed.

[TangentFoxy]

As was stated on a recent issue (#435), this project is not supposed to protect against XSS. It is up to the developer to implement this on their side.

[raminfp]

Thanks, i need fix for this issue,i see this your PR, Do you have performed test protect against XSS?

[TangentFoxy]

@raminfp You're mentioning the wrong guy. I don't have any PR's.

[raminfp]

@Guard13007 Oh, you are right, i so sorry

[wisetwo]

@Guard13007 OK, so if we want to use simplemde for public users, we can only customise its markdown parser.
Got it, thanks.

[wisetwo]

@raminfp This PR has few lines of code and I have tested through possible XSS attack situations that I konw, you can have a try : )