Markdown doesn't always generate XHTML

[Rad Geek]

Ulf Ochsenfahrt wrote:


> Yes, there are situations where all document authors are trusted 

> (authentication isn't trust though), but the fact remains that this 

> makes markdown completely unusable for anything else.


Ulf,

No, it doesn't. All it does is make Markdown *alone* inappropriate for 
content generated by untrusted users. But that shouldn't be surprising. 
Markdown is designed to work as a preprocessor, not as an alternative to 
HTML or as a sanitizer. If you need an HTML sanitizer, there are lots of 
them available, and there should be nothing stopping you from using 
Markdown in order to generate the HTML and then an appropriate second 
tool to sanitize it:

	$body = Markdown($source);
	$body = WhitelistBasedFilter($body);

In fact that's precisely what a lot of Markdown consumers (e.g. 
WordPress with PHP Markdown turned on for comments) do.

 > And worse, people are not made aware of this fact.

Made aware of what? John Gruber's documentation is certainly quite 
explicit that Markdown allows for raw HTML; that's part of the point of 
Markdown, as opposed to other plaintext syntaxes that try to replace 
HTML entirely. If you expect it to be something it's not (e.g. a 
validating producer or a sanitizer) then you'll no doubt be 
disappointed, but I don't think it's fair to claim that Markdown 
implementers are the ones leading you to expect some other kind of 
behavior than what you get.

-C