Markdown doesn't always generate XHTML

Ulf Ochsenfahrt ulf at
Fri Mar 14 14:22:12 EDT 2008

Hello everybody,

I've just noticed that markdown doesn't always generate XHTML. In
particular the input

<script src="">

generates the output:

<p><script src=""></p>

(This is the markdown dingus at daring fireball, and the markdownj
implementation exhibits the same problem. I havn't checked other
implementations of markdown.)

I have two issues with this:
1. The script tag isn't closed, which means it's not valid XML (and thus
not valid XHTML).

2. It's a security issue if you allow visitors to enter markdown text
and display it on a page, e.g., in a forum, as it allows certain HTML
injection attacks.

I've looked at the mailing list archives without finding any note that
this is a known issue.

Would you consider this a bug or a feature? If it's a feature, then
unfortunately I won't be able to use markdown for a forum I'm
administrating due to the security implications.


-- Ulf

More information about the Markdown-Discuss mailing list