when rational discussion was still a possibility
Alan Hogan
contact at alanhogan.com
Sat Sep 6 03:59:43 EDT 2014
> On Sep 6, 2014, at 12:08 AM, Andrei Fangli <andrei_fangli at hotmail.com> wrote:
>
> The JavaScript version is only good for preview at client-side to avoid posting to the server one to many times. To do client-side parsing and sending it to the server in the final format is a serious security leak (trusting that a post request sends a valid and harmless html is wishful thinking).
There’s little difference: if you are accepting markdown from untrusted users, you MUST also pass the resulting HTML through an XSS filter of some sort, no matter whether the markdown transform happens on the front or back end.
Alan
More information about the Markdown-Discuss
mailing list