Markdown doesn't always generate XHTML

[Ulf Ochsenfahrt]

Hello everybody,

I've just noticed that markdown doesn't always generate XHTML. In 
particular the input

<script src="http://evilserver.net/evil.js">

generates the output:

<p><script src="http://evilserver.net/evil.js"></p>

(This is the markdown dingus at daring fireball, and the markdownj 
implementation exhibits the same problem. I havn't checked other 
implementations of markdown.)

I have two issues with this:
1. The script tag isn't closed, which means it's not valid XML (and thus 
not valid XHTML).

2. It's a security issue if you allow visitors to enter markdown text 
and display it on a page, e.g., in a forum, as it allows certain HTML 
injection attacks.


I've looked at the mailing list archives without finding any note that 
this is a known issue.

Would you consider this a bug or a feature? If it's a feature, then 
unfortunately I won't be able to use markdown for a forum I'm 
administrating due to the security implications.

Cheers,

-- Ulf