Markdown doesn't always generate XHTML
Ulf Ochsenfahrt
ulf at ofahrt.de
Fri Mar 14 14:22:12 EDT 2008
Hello everybody,
I've just noticed that markdown doesn't always generate XHTML. In
particular the input
<script src="http://evilserver.net/evil.js">
generates the output:
<p><script src="http://evilserver.net/evil.js"></p>
(This is the markdown dingus at daring fireball, and the markdownj
implementation exhibits the same problem. I havn't checked other
implementations of markdown.)
I have two issues with this:
1. The script tag isn't closed, which means it's not valid XML (and thus
not valid XHTML).
2. It's a security issue if you allow visitors to enter markdown text
and display it on a page, e.g., in a forum, as it allows certain HTML
injection attacks.
I've looked at the mailing list archives without finding any note that
this is a known issue.
Would you consider this a bug or a feature? If it's a feature, then
unfortunately I won't be able to use markdown for a forum I'm
administrating due to the security implications.
Cheers,
-- Ulf
More information about the Markdown-Discuss
mailing list