js-xss VS showdown

xss-shield is a powerful middleware package that helps you protect your express.js app from Cross-Site Scripting (XSS) attacks. It's built on top of the popular xss (https://www.npmjs.com/package/xss) package and includes additional features like strict typing

There are a few libraries you can use to protect from xss. For instance the xss library on npm.

So you're going to need a Markdown parser that produces HTML. But there's a question of where is the data coming from and where you you want to process it? If it's going to be all on the frontend like a text editor, use a JS library for it (a quick google search produces ShowdownJS)

Previously, I was required to implement the markdown support manually which meant that the use of public libraries was prohibited. My tool could only support limited styling elements such as header1, header2, links, bold and italics, but now I can finally let my tool have a full markdown support by using Showdown.

The first two ages are very heavy on content so I decided to use markdown and tailwind’s typography plugin for styling. I also used showdown to fetch the markdown and turn it into HTML. The code for the above can be found on the site’s GitHub repository.

It looks like it uses showdown as the engine.

Adding syntax highlighting to an input field can be a hard task. supports neither styling of individual characters or words, nor HTML tags within itself, there is no fully supported native solution for that. Most editors work with contenteditable to actually render a fully marked up code snippet and let the user edit its content. This requires a lot of work to get it accessible (as in restore all the native functions of a textarea) and still adds a lot of complexity.
If you don't want that and are just looking for a quick, dead-simple solution: Here's how to colorize a textarea.

Solution

The trick is to separate the input element from the displayed one. We can't color the content of a textarea, but we can make it invisible and replace it with marked up content. This works with monospaced fonts and fonts with a uniform width across normal, bold and italic characters. I'm using this for code and markdown, so that's perfectly acceptable for me. We also need to be careful to match the dimensions of the textarea exactly while only using font-relative units like em, to ensure that the highlight element scales well with the invisible textarea. The cursor is still in the textarea's context, while the text itself is rendered in the highlight element. We want to match every character of the textarea to match the highlighted one on a pixel-perfect basis.

I also need to auto-resize my textarea. Since textareas usually scroll vertically, that would mess up the position matching with the highlight element. Auto-resizing seems like a graceful workaround to me.

The highlghting itself would work with every code parser. I'm using highlight.js to convert markdown to syntax-highlighted HTML. I listen for content changes in the textarea and parse new rendered code on every input. To counter the worst performance hits, I'll just use requestAnimationFrame. Debouncing isn't an option here, because the user would only see what they've written after they've finished typing. That'd be very poor UX.

Demo

Note that this example also displays the rendered Markdown in a separate element. I'll use the change listener that I already have to splice in a Markdown renderer: Showdown.

Pros

• as accessible as a textarea
• is a progressively enhanced feature
• can be styled exactly to your needs
• dead simple solution compared to a rich text editor

Cons

• has performance issues with large texts (as do textareas in general)
• works only with monospaced fonts
• works only with auto-sizing textareas

This article was written in a textarea :)

In order to transform the Markdown to HTLM, we can use a generator such as showdown. It's really easy to use:

or are you asking general technical question about markdown handling? there are existing solution which already do two-way convertion, including showdown and reddit comment box, the secret to make them "live" is to update both fields on key-down even