I'm parsing the user inputted markdown into HTML using the marked library, and rendering it using the @html tag
But the issue is if the user input is something like <script>alert('hello')</script>, the element gets rendered as a normal html script element, but the code within that script is not executed (for some reason?)
Is this a possible attack vector for an XSS attack? (since the script is not executed for some reason)
And are there any alternative ways to render markdown safely?
I guess one solution is to sanitize the user input before rendering it, but I'm wondering if there are any alternatives