PHP Markdown (javascript injection & list processing)

[Michel Fortin]

I'm forwarding this email to the Markdown discussion list since other 
people may be interested by what it say. My comments are inserted in 
the middle of your text, Harry.

Harry Hahn wrote:


> Hello,

>

> I'm writing regarding your PHP Markdown conversion. I am working on a 

> project right now for which I wanted to do Markdown processing, so I 

> was very pleased to have come across it.

>

> I've been very happy with how it works - however, I've noticed a 

> couple of issues that I wanted to bring to your attention and hear 

> your comments on:

>

> * Javascript can be injected. For example, entering the following:

>

> 	<script type="text/javascript">alert('hello')</script>

>

> will result in this being left alone by markdown.php and end up 

> running the script if no further processing is down prior to sending 

> to the client (for example, in your Markdown dingus). This seems like 

> a security risk to me and I have added an additional processing within 

> my application to try to escape this.

>

> Perhaps you are of the mind that handling something like this should 

> not be handled within markdown.php, in which case, I will leave my 

> additional step in. However, I think other users of the project might 

> benefit from being alerted to such dangers.


Very true. In some cases this may be useful: when you write your own 
web pages with Markdown. But this is surly not appropriate for 
comments. Currently, the best method would be to parse the resulting 
HTML to remove any inappropriate tags/attributes. There are some 
existing filters to do this. (Right now I'm thinking about [kses][].)

  [kses]: http://sourceforge.net/projects/kses


> * List processing seems to have a bug. For example, the following 

> content (between the cut lines):

>

> ----8<----

> * one

> * two

> * three

>

>      indented text

> ---->8----

>

> results in the "indented text" part being incorporated as part of the 

> final <li> element, rather than as a new block (in this case, a code 

> block).

>

> In other words, I expect:

>

> <ul>

> <li>one</li>

> <li>two</li>

> <li>three</li>

> </ul>

> <pre><code>indented text

> </code></pre>

>

> and instead got:

>

> <ul>

> <li>one</li>

> <li>two</li>

> <li><p>three</p>

>

> <p>indented text</p></li>

> </ul>

>

> Perhaps this is not a bug, but a peculiarity of Markdown, in which 

> case, I can certainly work around it. I thought it counterintuitive so 

> I wanted to bring it to your attention.


This is not really a bug. Since list items can contain multiple 
paragraphs, the list item has to encompass everything until it finds an 
unindented paragraph. There is no reliable way to tell if what you want 
next is a code block, or a new paragraph inside the list item. So you 
will have to work around it. (You could write your list or your code 
block directly in HTML as a workaround.)

Counterintuitive? Maybe, but making it a code block would mean giving 
up entirely paragraphs in list items.


> Regards,

> Harry



Michel Fortin
michel.fortin at michelf.com
http://www.michelf.com/