Markdown doesn't always generate XHTML

Michel Fortin michel.fortin at michelf.com
Fri Mar 14 23:22:25 EDT 2008


Le 2008-03-14 à 16:38, Waylan Limberg a écrit :


> Regarding the security issues, I understand your concerns, but there

> are some situations were all document authors are trusted

> (authenticated) users and have a legitimate need for that feature. We

> can't cut them off for everyone else. However, I know that

> Python-Markdown has an option to not allow any html in a document

> (this "safe_mode" can be set to either replace with a customizable

> message, remove completely, or escape the html). Of course, to stay in

> line with the Markdown standard, it is off by default, but very easy

> to turn on in your code. Other implementations may offer a similar

> option.


"Safe mode" you say?

PHP Markdown also has a no-markup mode which would filter script tags
and any other HTML tags. But this doesn't prevent anyone from
inserting their own script on the page. Do you know you can inject a
script in a URL? Guess what this does:

[link](javascript:alert%28'Hello%20world!'%29)

There is also a browser (IE I think) which automatically execute
javascripts used as the source URL for an image, so this could also
work in some cases:

![image](javascript:alert%28'Hello%20world!'%29)


Michel Fortin
michel.fortin at michelf.com
http://michelf.com/




More information about the Markdown-Discuss mailing list