PHP Markdown (javascript injection & list processing)

Michel Fortin michel.fortin at michelf.com
Tue Jul 19 22:36:47 EDT 2005


I'm forwarding this email to the Markdown discussion list since other
people may be interested by what it say. My comments are inserted in
the middle of your text, Harry.

Harry Hahn wrote:


> Hello,

>

> I'm writing regarding your PHP Markdown conversion. I am working on a

> project right now for which I wanted to do Markdown processing, so I

> was very pleased to have come across it.

>

> I've been very happy with how it works - however, I've noticed a

> couple of issues that I wanted to bring to your attention and hear

> your comments on:

>

> * Javascript can be injected. For example, entering the following:

>

> <script type="text/javascript">alert('hello')</script>

>

> will result in this being left alone by markdown.php and end up

> running the script if no further processing is down prior to sending

> to the client (for example, in your Markdown dingus). This seems like

> a security risk to me and I have added an additional processing within

> my application to try to escape this.

>

> Perhaps you are of the mind that handling something like this should

> not be handled within markdown.php, in which case, I will leave my

> additional step in. However, I think other users of the project might

> benefit from being alerted to such dangers.


Very true. In some cases this may be useful: when you write your own
web pages with Markdown. But this is surly not appropriate for
comments. Currently, the best method would be to parse the resulting
HTML to remove any inappropriate tags/attributes. There are some
existing filters to do this. (Right now I'm thinking about [kses][].)

[kses]: http://sourceforge.net/projects/kses


> * List processing seems to have a bug. For example, the following

> content (between the cut lines):

>

> ----8<----

> * one

> * two

> * three

>

> indented text

> ---->8----

>

> results in the "indented text" part being incorporated as part of the

> final <li> element, rather than as a new block (in this case, a code

> block).

>

> In other words, I expect:

>

> <ul>

> <li>one</li>

> <li>two</li>

> <li>three</li>

> </ul>

> <pre><code>indented text

> </code></pre>

>

> and instead got:

>

> <ul>

> <li>one</li>

> <li>two</li>

> <li><p>three</p>

>

> <p>indented text</p></li>

> </ul>

>

> Perhaps this is not a bug, but a peculiarity of Markdown, in which

> case, I can certainly work around it. I thought it counterintuitive so

> I wanted to bring it to your attention.


This is not really a bug. Since list items can contain multiple
paragraphs, the list item has to encompass everything until it finds an
unindented paragraph. There is no reliable way to tell if what you want
next is a code block, or a new paragraph inside the list item. So you
will have to work around it. (You could write your list or your code
block directly in HTML as a workaround.)

Counterintuitive? Maybe, but making it a code block would mean giving
up entirely paragraphs in list items.


> Regards,

> Harry



Michel Fortin
michel.fortin at michelf.com
http://www.michelf.com/



More information about the Markdown-Discuss mailing list