Javascript in URLs (was: Markdown doesn't always generate XHTML)

Waylan Limberg waylan at
Sat Mar 15 00:39:13 EDT 2008

On Fri, Mar 14, 2008 at 11:22 PM, Michel Fortin
<michel.fortin at> wrote:


> "Safe mode" you say?

Yeah, well, I didn't paint that bike shed.


> PHP Markdown also has a no-markup mode which would filter script tags

> and any other HTML tags. But this doesn't prevent anyone from

> inserting their own script on the page. Do you know you can inject a

> script in a URL? Guess what this does:


> [link](javascript:alert%28'Hello%20world!'%29)


This is a good point, and something I hadn't thought about myself. I
would think that markdown should *not* allow that regardless of any
safe/no-markup/whatever-you-call-it mode. If someone legitimately
wants javascript in their links/images/etc then they should be writing
raw html. What do you think?

Of course, then how do we do that? Some possabilites I came up with
without much thought:

1. Trunicate a url at "javascript:"
2. Completely remove the entire url (perhaps replace with blank string or "#")
3. Leave the markup for the entire link as plan text (in other words -
its not considered a match)
4. Do some kind of escaping (not sure what at this point) and leave it
in the url

Waylan Limberg
waylan at

More information about the Markdown-Discuss mailing list