XSS: fails to escape link text in [<svg/onload=alert(1)//]() correctly about pagedown HOT 3 CLOSED

Luckily, Stack Overflow seems to have an extra layer of protection 
(`sanitizeAndSplitTags`, perhaps?) that prevents XSS attacks like this one. 
However, it would be useful to have this protection for all Pagedown users.

This is absolutely by design.

Markdown allows you to do whatever you want. After all, you might just be using 
it to create your own blog, and you should be able to do whatever you want 
there.

And you didn't even have to go through some strange quote-less onload 
pseudo-exploit -- <script>alert(1)</script> works just as fine.

Of course if you're using Markdown for user-submitted content, you want to 
sanitize. As you said "Luckily, Stack Overflow seems to have an extra layer of 
protection [...] However, it would be useful to have this protection for all 
Pagedown users."

Well guess what, you have it! From the *introduction* of the documentation 
(http://code.google.com/p/pagedown/wiki/PageDown):

It should be noted that Markdown is not safe as far as user-entered input goes. 
Pretty much anything is valid in Markdown, in particular something like 
<script>doEvil();</script>. This PageDown repository includes the two plugins 
that Stack Exchange uses to sanitize the user's input; see the description of 
Markdown.Sanitizer.js below.

*facepalms* Thanks for your patience!