Seeking clarification re:

[nmstoker]

Regarding snippets, there's a warning in the docs that mentions that snippets should "not be used for user facing sites that take and parse user content dynamically."

https://facelessuser.github.io/pymdown-extensions/extensions/snippets/

Could anyone clarify regarding what counts as parsing user content in this context?

Does this cover sites that offer search (ie where users type in text)?

Thanks in advance!
Neil

[facelessuser]

If you have a server that is parsing foreign, user generated content dynamically, I would not enable snippets. They could specify paths on your server to get access to an unintentional file to render them, like a password file, etc.

Now, this is also why we added extra security to prevent relative or absolute paths that escape the specified base path via GHSA-jh85-wwv9-24hv. Even with this "fix" in place, I would still not expose such on a live server with foreign user input, but it should be safer.

Snippets is not designed or intended to parse unknown, uncontrolled inputs. Snippets is meant for generating known, safe content. If you do otherwise, you do so at your own risk.

[nmstoker]

Thanks @facelessuser . Does input from search count as "foreign user generated content"?

I suspect in my particular case there's going to be no significant risk as the site is being served up from GitHub Pages with a custom domain where there's nothing confidential/login related on the entire domain, but would be good to understand about what exactly counts.

[facelessuser]

What is your search doing? I'm assuming it is just searching an index and not running the input through Python Markdown. It's all about the input being run through Python Markdown on the server. So I imagine this is not what is happening for your search.

Specifically, what you should try to avoid is a live Markdown parser on your server parsing arbitrary input from a user. If you are doing that, you should not be using snippets. It doesn't make sense in this context either. The user shouldn't be making references to unknown files on the server. Snippets isn't useful to them in that scenario and potentially harmful to you.

But if you are generating HTML from trusted markdown and uploading that HTML to your server for public viewing, then Snippets is probably fine.

[nmstoker]

Perfect, that clears up my confusion! Thank you!

Yes, my search is simply regular user queries about documents and it is not involved in creating any markdown that gets parsed.