How do I disable props and variables in Nuxt MDC
hey!
I've been trying to find a way to fully disable props and variables in Nuxt MDC, with no success. I've got the following questions:
1. Is Nuxt MDC a viable tool for rendering user generated markdown content.
2. If yes, is there something I missed to fully disable props and variables?
I've already got HTML tags disabled, and it by all means seems to pass a quick XSS test I did. That said, the
style and class attributes are scaring me a bit. I don't think it's a good idea to allow users to make use of custom styles and classes for their descriptions.
Please ping me when responding :)3 Replies
Hi @Emma. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
There’s no information in the provided sources that specifically covers:
- Disabling props/variables in Nuxt MDC
- Locking down MDC so that users cannot access props/variables
- Disabling
class/style attributes for user‑generated MDC content
The documents that touch Nuxt Content/MDC mainly show:
- How to use front‑matter and access it via useContent [Front matter status]
- How to render reusable partials via a custom component and ContentQuery/ContentRenderer [MDC partials]
- How to render markdown programmatically (including code highlighting) using a custom server component with markdown-it and highlight.js [Render markdown]
None of these discuss security hardening or disabling MDC features such as props, variables, or attributes.
So:
1. The sources do not state whether Nuxt MDC is “viable” or “recommended” for arbitrary untrusted user‑generated content.
2. The sources do not show any configuration or pattern to fully disable MDC props/variables, or to strip class/style from user MDC.
Given the lack of explicit guidance in these materials, I can’t confidently describe a Nuxt‑official way to do what you’re asking. You may need to look at Nuxt’s MDC/Content docs or issues directly, or consider pre‑sanitising user markdown yourself (e.g. with a markdown/HTML sanitizer) before it ever reaches MDC.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------<@488389266133614594> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
I've been able to largely avoid one of the problems by defining the
class and style props on all prose components, but I'd prefer a more scoped solution, as
1. I use Nuxt Content for guides, documentation, release notes and platform policies. I'd prefer to be able to use variables in those.
2. I use Nuxt MDC for user generated content, where variables and props shouldn't be provided.
3. This still does not prevent variables.
I'm using Nuxt 4.1.3, Nuxt MDC 0.18.0, Nuxt Content 3.8.0.
I was also taking a look at remark/rehype plugins, but I can't seem to find any that achieve this either.
Any help would be appreciated :)