markdown-sanitization-chain
Markdown Sanitization Chain
Battle-tested via production XSS incident. The order of markdown → sanitize → diagram render is non-negotiable when content comes from users.
When to Use
- An app renders markdown supplied by users (comments, docs UI, embedded editors)
- You're about to call
innerHTMLwith markdown-derived HTML - Mermaid or another diagram renderer runs in the browser
- Security review on a markdown-rendering surface
Why It Matters
Markdown renderers (marked.js, markdown-it) convert markdown to HTML but do not sanitize it. Diagram renderers (Mermaid, PlantUML) execute after sanitizers run, which can re-introduce attack vectors. Order matters critically.
The Rule
Always: marked.js → DOMPurify → Mermaid (post-render).
More from fabioc-aloha/pbi-visual-assistant
md-to-word
Convert Markdown with Mermaid diagrams and SVG illustrations to professional Word documents
1docx-to-md
Convert Word documents (.docx) to clean Markdown with image extraction and pandoc cleanup
1markdown-mermaid
Clear documentation through visual excellence
1ai-memory-setup
Detect, create, and manage the AI-Memory fleet communication channel. Fires on bootstrap, session start (announcements), and feedback writes.
1md-to-eml
Convert Markdown to RFC 5322 email (.eml) with inline CSS and CID images
1html-to-md
Convert HTML documents to clean Markdown via pandoc
1