using markdown in a forum?

Michel Fortin michel.fortin at
Thu May 6 08:14:03 EDT 2010

Le 2010-05-06 à 7:24, Louis-David Mitterrand a écrit :

> Fortunately HTML::Scrubber allows denying specific attributes based on a

> regexp:


> 'href' => qr{^(?!(?:java)?script)}i,

> 'src' => qr{^(?!(?:java)?script)}i,

> etc.

That's full of holes. Use a whitelist, not a blacklist. For instance, it won't catch this:


or this:

jav ascript:alert('XSS');

which will work, at least in some browsers!

Here's a good reference about javascript attacks (not all cases will apply to you, but a good reference nonetheless):

Michel Fortin
michel.fortin at

More information about the Markdown-Discuss mailing list