Markdown doesn't always generate XHTML

Milian Wolff mail at
Fri Mar 14 15:11:49 EDT 2008

Am Freitag, 14. März 2008 schrieb Ulf Ochsenfahrt:

> Hello everybody,


> I've just noticed that markdown doesn't always generate XHTML. In

> particular the input


> <script src="">


> generates the output:


> <p><script src=""></p>


> (This is the markdown dingus at daring fireball, and the markdownj

> implementation exhibits the same problem. I havn't checked other

> implementations of markdown.)


> I have two issues with this:

> 1. The script tag isn't closed, which means it's not valid XML (and thus

> not valid XHTML).

This is a bug in my eyes.

> 2. It's a security issue if you allow visitors to enter markdown text

> and display it on a page, e.g., in a forum, as it allows certain HTML

> injection attacks.



> I've looked at the mailing list archives without finding any note that

> this is a known issue.


> Would you consider this a bug or a feature? If it's a feature, then

> unfortunately I won't be able to use markdown for a forum I'm

> administrating due to the security implications.

The security issue is not markdowns. You'll have to supply your own validation
and input filtering mechanisms. A *good* editor could want to include
`<script>` tags and it's not Markdowns philosophy to stand in the way here.

There are tons of pretty decent filtering functions out there. Which
programming language do you use?

Milian Wolff
OpenPGP key: CD1D1393
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : <>

More information about the Markdown-Discuss mailing list