I'm new to PHP Markdown.
Please correct me if I'm using terminology wrong.
I have a textarea input which value I'd like to save to database and later present on my page.
I need simple HTML elements like h1, h2, p, a, ol, li.
I assume I'd like to use the markdown notation.
So, I save this sample text to my database:
This is a [sample](text). <script>alert('hohoho')</script>
And I can render it with using {!! Str::markdown($string) !!}
as
<a href="text">sample</a><script>alert('hohoho')</script>
which seems fine. The script is not executed.
Is this safe?
"safe" in a way a user can't input anything into the database through standard Laravel app that could be used maliciously. E.g. <script>alert('aa')</script> or <?= 'bb' ?>. Please do point out if I'm missing anything?
What is the difference (in general and in my case) when using Str::markdown() and any of the following libraries:
All three implementations are thin wrappers around league/commonmark, so they should work more or less identically.