I was testing out something and tried to put this into Showdown:
<script>alert("hacked!");</script>
Of course it didn't alert anything (Showdown is made to protect against those sorts of things), but the <script> tag gets removed completely. I am using this for a user description, so the script tag (and it's contents) should be visible, just not executed.
I was thinking that most likely I would need to change some built in Showdown code but couldn't find any place in it's code that I should change to only show the script tags but not execute them.
Does anyone know any existing options or some changes to the source code to show this?
I found the answer: I just needed to replace the start and end of the <script> tags with something visible, like <script and </script>
This is the code I used:
myshowdownhtml.split("<script").join("<script").split("<"+"/script>").join("</script>");