Markdown doesn't always generate XHTML

[Milian Wolff]

Am Freitag, 14. März 2008 schrieb Ulf Ochsenfahrt:

> Hello everybody,

>

> I've just noticed that markdown doesn't always generate XHTML. In

> particular the input

>

> <script src="http://evilserver.net/evil.js">

>

> generates the output:

>

> <p><script src="http://evilserver.net/evil.js"></p>

>

> (This is the markdown dingus at daring fireball, and the markdownj

> implementation exhibits the same problem. I havn't checked other

> implementations of markdown.)

>

> I have two issues with this:

> 1. The script tag isn't closed, which means it's not valid XML (and thus

> not valid XHTML).


This is a bug in my eyes.


> 2. It's a security issue if you allow visitors to enter markdown text

> and display it on a page, e.g., in a forum, as it allows certain HTML

> injection attacks.

>

>

> I've looked at the mailing list archives without finding any note that

> this is a known issue.

>

> Would you consider this a bug or a feature? If it's a feature, then

> unfortunately I won't be able to use markdown for a forum I'm

> administrating due to the security implications.


The security issue is not markdowns. You'll have to supply your own validation 
and input filtering mechanisms. A *good* editor could want to include 
`<script>` tags and it's not Markdowns philosophy to stand in the way here.

There are tons of pretty decent filtering functions out there. Which 
programming language do you use?

-- 
Milian Wolff
http://milianw.de
OpenPGP key: CD1D1393
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : <http://six.pairlist.net/pipermail/markdown-discuss/attachments/20080314/5bdbcd44/attachment.pgp>