Markdown doesn't always generate XHTML

Michel Fortin michel.fortin at
Fri Mar 14 23:43:56 EDT 2008

Preprocessing markdown is something extremely difficult to get right...

Le 2008-03-14 à 16:57, Petite Abeille a écrit :

> Or one could preprocess the text directly before rendering it, e.g.:


> aText = aText:gsub( '(`?)(<.->)(`?)', '`%2`' )

> aText = markdown( aText )

> aText = aText:gsub( '(`)(&lt;.-&gt;)(`)', '%2' )

That looks rather hackish and trivial to work around if you want to
inject random HTML. It may protect the user from accidentally
inserting HTML, but it will only detract for a couple of seconds
someone voluntarily seeking to do it. What would it do with this for

``<script <!--
alert("Hello world!")
</script <>```

If I understand the preprocessing, the example string would be
unchanged after preprocessing. When passed through PHP Markdown and (tried on the Dingus), this will pop an alert.

> Or at least this is what Nanoki, a wiki engine implemented in Lua,

> does to protect the innocent from shooting themselves in the foot :)




> Try to edit the online demo:



As expected, the example above pops an alert. I'm not sure why, but
even this one works:

<script <!--
alert("Hello world!")
</script <>

> In theory, functional anomalies aside, Nanoki's pages should always

> render as valid XHTML.

Practice always defies theory once the theory is put in practice.

Michel Fortin
michel.fortin at

More information about the Markdown-Discuss mailing list