Skip to Content

Markdown Renderer widget in Jitterbit App Builder

The Markdown Renderer widget renders Markdown-formatted text from a bound column or control as formatted HTML on the page. It is shipped as part of the App Builder collection, so it doesn't require downloading or uploading a widget archive. It is available in App Builder versions 4.64 and later.

Add the Markdown Renderer widget

  1. Open the Live Designer on a page, then add a Text Area control to a panel, bound to the column containing the Markdown-formatted text.

  2. Select the control. The Live Designer displays its configuration options.

  3. Under Edge Case, in the Edge Case section, configure the following fields:

    • Widget: Select Markdown Renderer. A new Widget Properties section appears below Edge Case.

    • Interface Mode: Select Always or Mobile Only.

    • Access Mode: Select Edit Only, View and Edit, or View Only.

  4. Next to the Widget dropdown, click the Param button. The Widget Parameters dialog opens.

  5. Click Create. The dialog changes to the Widget Parameter view. Configure the following fields:

    • Widget Parameter: Select Sanitize.

    • Parameter Type: Select Control.

    • Target Control: Select the Text Area control you added in step 1.

    • Default: Read-only. Shows the Sanitize parameter's default value, 1.

    • Use Formatted Value: Leave this checked (default).

    • Active: Leave this checked (default).

  6. Click Save.

Sanitize parameter

The Sanitize parameter accepts two values: 0 and 1. The difference in behavior is described below.

Value Behavior
0 Renders the HTML exactly as interpreted from the Markdown. No sanitization occurs, and all URLs are permitted.
1 (Default) Runs the HTML output through a sanitizer that strips potentially malicious code. When enabled, this also enforces link filtering, meaning that only links to domains explicitly defined in the Allowed URLs list remain clickable.

Important

For security best practices, leave Sanitize set to 1 unless your use case requires unfiltered HTML output. This is especially relevant when the Markdown source includes content from an untrusted source, such as LLM-generated text.

How sanitization works

When the Sanitize parameter is enabled, the Markdown Renderer widget uses the open source DOMPurify library to clean its HTML output. DOMPurify removes <script> elements, inline event handler attributes (such as onclick), and dangerous URL protocols (javascript:, data:, vbscript:), while preserving safe structural HTML.

DOMPurify does not, by itself, restrict which domains a link can point to. To control which URLs remain clickable, App Builder additionally enforces the Allowed URLs list.

The underlying Markdown parser is configured to allow raw HTML embedded directly in the Markdown source, which is useful for formatting that Markdown doesn't support natively. Therefore, keeping Sanitize enabled is recommended even for content that appears to be plain Markdown, since raw HTML could still be embedded in it.