feat(markDownToHTML): enable safe mode and escape markup to prevent XSS vulnerabilities

Author: Daniel Neto

objects/functionsSecurity.php

@@ -349,6 +349,11 @@ function isBot($returnTrueIfNoUserAgent=true)
 function markDownToHTML($text) {
     $parsedown = new Parsedown();
 
+    // Enable safe mode to prevent XSS via raw HTML in markdown input
+    $parsedown->setSafeMode(true);
+    // Also escape any markup that bypasses safe mode
+    $parsedown->setMarkupEscaped(true);
+
     // Convert Markdown to HTML
     $html = $parsedown->text($text);