Javascript in URLs (was: Markdown doesn't always generate XHTML)

[Waylan Limberg]

On Fri, Mar 14, 2008 at 11:22 PM, Michel Fortin
<michel.fortin at michelf.com> wrote:

>

>  "Safe mode" you say?


Yeah, well, I didn't paint that bike shed.

>

>  PHP Markdown also has a no-markup mode which would filter script tags

>  and any other HTML tags. But this doesn't prevent anyone from

>  inserting their own script on the page. Do you know you can inject a

>  script in a URL? Guess what this does:

>

>      [link](javascript:alert%28'Hello%20world!'%29)

>


This is a good point, and something I hadn't thought about myself. I
would think that markdown should *not* allow that regardless of any
safe/no-markup/whatever-you-call-it mode. If someone legitimately
wants javascript in their links/images/etc then they should be writing
raw html. What do you think?

Of course, then how do we do that? Some possabilites I came up with
without much thought:

1. Trunicate a url at "javascript:"
2. Completely remove the entire url (perhaps replace with blank string or "#")
3. Leave the markup for the entire link as plan text (in other words -
its not considered a match)
4. Do some kind of escaping (not sure what at this point) and leave it
in the url





-- 
----
Waylan Limberg
waylan at gmail.com