Comments (3)
Luckily, Stack Overflow seems to have an extra layer of protection
(`sanitizeAndSplitTags`, perhaps?) that prevents XSS attacks like this one.
However, it would be useful to have this protection for all Pagedown users.
Original comment by [email protected]
on 9 Aug 2012 at 1:40
from pagedown.
This is absolutely by design.
Markdown allows you to do whatever you want. After all, you might just be using
it to create your own blog, and you should be able to do whatever you want
there.
And you didn't even have to go through some strange quote-less onload
pseudo-exploit -- <script>alert(1)</script> works just as fine.
Of course if you're using Markdown for user-submitted content, you want to
sanitize. As you said "Luckily, Stack Overflow seems to have an extra layer of
protection [...] However, it would be useful to have this protection for all
Pagedown users."
Well guess what, you have it! From the *introduction* of the documentation
(http://code.google.com/p/pagedown/wiki/PageDown):
It should be noted that Markdown is not safe as far as user-entered input goes.
Pretty much anything is valid in Markdown, in particular something like
<script>doEvil();</script>. This PageDown repository includes the two plugins
that Stack Exchange uses to sanitize the user's input; see the description of
Markdown.Sanitizer.js below.
Original comment by [email protected]
on 9 Aug 2012 at 3:21
- Changed state: Invalid
from pagedown.
*facepalms* Thanks for your patience!
Original comment by [email protected]
on 9 Aug 2012 at 3:23
from pagedown.
Related Issues (20)
- Requesting pull to expose Markdown.HookCollection to node.js
- Whitelisted iframes don't show up with Sanitizer HOT 2
- iFrames not working? HOT 1
- URLs with underscore characters lose the underscore HOT 2
- Weird implementation of _DoItalicsAndBold HOT 5
- Customizing link markdown like Github does with usernames HOT 1
- Vector fromat Design
- will reproduce the problem? HOT 1
- How to convert HTML back to markdown? HOT 1
- Bullet multiple lines individually
- Update package on NPM
- XHTML error
- "Add heading" with no selected text doesn't add heading.
- Markdown.Sanitizer removes <a href= and <img src= tags referencing relative paths
- Patch for /PageDown.wiki
- Patch for /Markdown.Converter.js
- sanitizeHtml() stripping images with apostrophes in URL - Regex modification required
- Link dialog hook
- Equations with MathJax
- Disable specific markdown elements
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.