Markdown doesn't always generate XHTML

Rad Geek technophilia at
Sat Mar 15 14:00:30 EDT 2008

Ulf Ochsenfahrt wrote:

> Yes, there are situations where all document authors are trusted

> (authentication isn't trust though), but the fact remains that this

> makes markdown completely unusable for anything else.


No, it doesn't. All it does is make Markdown *alone* inappropriate for
content generated by untrusted users. But that shouldn't be surprising.
Markdown is designed to work as a preprocessor, not as an alternative to
HTML or as a sanitizer. If you need an HTML sanitizer, there are lots of
them available, and there should be nothing stopping you from using
Markdown in order to generate the HTML and then an appropriate second
tool to sanitize it:

$body = Markdown($source);
$body = WhitelistBasedFilter($body);

In fact that's precisely what a lot of Markdown consumers (e.g.
WordPress with PHP Markdown turned on for comments) do.

> And worse, people are not made aware of this fact.

Made aware of what? John Gruber's documentation is certainly quite
explicit that Markdown allows for raw HTML; that's part of the point of
Markdown, as opposed to other plaintext syntaxes that try to replace
HTML entirely. If you expect it to be something it's not (e.g. a
validating producer or a sanitizer) then you'll no doubt be
disappointed, but I don't think it's fair to claim that Markdown
implementers are the ones leading you to expect some other kind of
behavior than what you get.


More information about the Markdown-Discuss mailing list