Post History

Migrating HTML strings to a more secure alternative

Our team will have to migrate an old application to use a new tech stack. One of the features involves the usage of HTML editors which serialized the content as HTML and I am able to see valid HTML in the database for those fields.

The HTML editor is quite limited (text formatting, links, but no scripts).

If I am not mistaken, this opens a door for [HTML injection](https://www.acunetix.com/blog/web-security-zone/html-injections/) and this issue should be removed for security reasons.

The only I see to solve this issue is switching from HTML to MarkDown.

I would like to understand how to correctly approach this task. I would split it in two:

### The converter 

It seems to be a way [to automatically convert HTML](https://attacomsian.com/blog/convert-html-to-markdown) to Markdown using a library like [Turndown](https://github.com/mixmark-io/turndown). Since I only use basic HTML elements, I do not expect surprises here.

### The editor

Users should be able to use a MarkDown editor and an example I can use for an Angular SPA is [angular-markdown-editor](https://github.com/ghiscoding/angular-markdown-editor).

What I do not fully understand is how do I know if the converter output is compatible with the editor, as there seem to be [a plethora of Markdown flavors](https://gist.github.com/vimtaai/99f8c89e7d3d02a362117284684baa0f).

I cannot find anything in the docs for the converter/library about the Markdown flavor they are generating/using. Is this a matter of trial and error or is there an easier way?

I am also open to alternative, if they solve the issue at least as easy as what I have mentioned above.