Markdown Preview Safety: What Local Rendering Protects You From - And What It Does Not

Quick scan

• Problem: "Runs in your browser" can be mistaken for "safe for any content."
• Approach: Separate privacy from rendering safety and publication safety.
• What the tool does: It renders Markdown locally, removes several unsafe HTML patterns before preview, and lets you copy the resulting HTML.
• What it does not do: Certify hostile HTML as safe for every CMS, remove confidential information, or replace a security review.

Markdown Preview is valuable for release notes, README drafts, and documentation edits because you can see formatting immediately. Its privacy advantage is narrow and useful: the draft does not need to be sent to Monkeybase for rendering.

That advantage does not make every input appropriate to paste or every output appropriate to publish.

A harmless example

Input:

## Deployment note

- Fixed retry handling for `req_1042`.
- Added an error message for missing tokens.

See the [runbook](/docs/deploy-runbook) before retrying.

Rendered result:

<h2>Deployment note</h2>
<ul>
  <li>Fixed retry handling for <code>req_1042</code>.</li>
  <li>Added an error message for missing tokens.</li>
</ul>
<p>See the <a href="/docs/deploy-runbook">runbook</a> before retrying.</p>

This is the normal use case: check headings, lists, code formatting, and links before copying text into a documentation system.

What local rendering helps with

1. Avoiding a server upload just to preview formatting

The input is transformed in your browser for the preview. That is useful for ordinary drafts that you are permitted to work on locally.

2. Catching presentation mistakes early

You can spot a broken list, a heading level problem, or a malformed link before a documentation edit is submitted.

3. Giving copied HTML a basic first filter

The current preview removes script and style blocks, several embedded/form elements, inline event handler attributes, and common dangerous URL schemes before inserting HTML into the preview.

That is a defensive feature. It should be described precisely as a basic sanitizing pass, not as proof that arbitrary hostile Markdown or HTML is safe.

What local rendering does not protect you from

Secrets already present in the text

If a draft includes a token, private URL, customer record, or internal incident detail, local rendering does not redact it. Remove sensitive information before pasting it into any general-purpose editor or before sharing a screenshot.

Bad input:

Retry with bearer token: eyJ...real-secret...

Better synthetic input:

Retry with bearer token: [REDACTED]

Risk in the destination where copied HTML is pasted

The Copy HTML action exports rendered HTML. A CMS, email editor, wiki, or application may have different parsing and sanitizing rules. Treat the destination as a separate security boundary.

Correctness of links and instructions

A preview can show that a Markdown link renders. It cannot tell you whether the URL exists, whether a runbook is current, or whether deployment instructions are safe.

A useful review sequence

1. Replace credentials, personal data, and internal hostnames with synthetic placeholders.
2. Preview headings, code blocks, lists, and links in Markdown Preview.
3. If the document changed materially, compare drafts in Diff Viewer.
4. Paste into the destination editor and verify rendering there.
5. Use the destination system's review and security requirements before publishing.

Trust boundary in one sentence

Markdown Preview helps you inspect ordinary documentation text locally; it is not a sandbox for malicious content or a clearance step for confidential material.

Related developer notes

• Debug a Broken API Payload in 4 Browser-Only Steps
• JSON Formatter vs Validator vs Tree Paths
• Debug Developer Text workflow

FAQ

Does local rendering mean I can paste secrets?

No. Local execution avoids a rendering upload, but secrets can still be copied, screenshotted, stored elsewhere, or published accidentally.

Does the preview sanitize HTML?

It applies a basic sanitizing pass before displaying generated HTML. Do not treat it as a general-purpose security sanitizer for hostile input or another application's publishing pipeline.

Should I copy HTML into a CMS without checking it again?

No. Preview and review the result inside the destination system, which may support different elements and have different safety rules.