Markdown doesn't always generate XHTML
mail at milianw.de
Fri Mar 14 15:11:49 EDT 2008
Am Freitag, 14. März 2008 schrieb Ulf Ochsenfahrt:
> Hello everybody,
> I've just noticed that markdown doesn't always generate XHTML. In
> particular the input
> <script src="http://evilserver.net/evil.js">
> generates the output:
> <p><script src="http://evilserver.net/evil.js"></p>
> (This is the markdown dingus at daring fireball, and the markdownj
> implementation exhibits the same problem. I havn't checked other
> implementations of markdown.)
> I have two issues with this:
> 1. The script tag isn't closed, which means it's not valid XML (and thus
> not valid XHTML).
This is a bug in my eyes.
> 2. It's a security issue if you allow visitors to enter markdown text
> and display it on a page, e.g., in a forum, as it allows certain HTML
> injection attacks.
> I've looked at the mailing list archives without finding any note that
> this is a known issue.
> Would you consider this a bug or a feature? If it's a feature, then
> unfortunately I won't be able to use markdown for a forum I'm
> administrating due to the security implications.
The security issue is not markdowns. You'll have to supply your own validation
and input filtering mechanisms. A *good* editor could want to include
`<script>` tags and it's not Markdowns philosophy to stand in the way here.
There are tons of pretty decent filtering functions out there. Which
programming language do you use?
OpenPGP key: CD1D1393
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : <http://six.pairlist.net/pipermail/markdown-discuss/attachments/20080314/5bdbcd44/attachment.pgp>
More information about the Markdown-Discuss