Hello everybody, I've just noticed that markdown doesn't always generate XHTML. In particular the input <script src="http://evilserver.net/evil.js"> generates the output: <p><script src="http://evilserver.net/evil.js"></p> (This is the markdown dingus at daring fireball, and the markdownj implementation exhibits the same problem. I havn't checked other implementations of markdown.) I have two issues with this: 1. The script tag isn't closed, which means it's not valid XML (and thus not valid XHTML). 2. It's a security issue if you allow visitors to enter markdown text and display it on a page, e.g., in a forum, as it allows certain HTML injection attacks. I've looked at the mailing list archives without finding any note that this is a known issue. Would you consider this a bug or a feature? If it's a feature, then unfortunately I won't be able to use markdown for a forum I'm administrating due to the security implications. Cheers, -- Ulf
Am Freitag, 14. M?rz 2008 schrieb Ulf Ochsenfahrt:> Hello everybody, > > I've just noticed that markdown doesn't always generate XHTML. In > particular the input > > <script src="http://evilserver.net/evil.js"> > > generates the output: > > <p><script src="http://evilserver.net/evil.js"></p> > > (This is the markdown dingus at daring fireball, and the markdownj > implementation exhibits the same problem. I havn't checked other > implementations of markdown.) > > I have two issues with this: > 1. The script tag isn't closed, which means it's not valid XML (and thus > not valid XHTML).This is a bug in my eyes.> 2. It's a security issue if you allow visitors to enter markdown text > and display it on a page, e.g., in a forum, as it allows certain HTML > injection attacks. > > > I've looked at the mailing list archives without finding any note that > this is a known issue. > > Would you consider this a bug or a feature? If it's a feature, then > unfortunately I won't be able to use markdown for a forum I'm > administrating due to the security implications.The security issue is not markdowns. You'll have to supply your own validation and input filtering mechanisms. A *good* editor could want to include `<script>` tags and it's not Markdowns philosophy to stand in the way here. There are tons of pretty decent filtering functions out there. Which programming language do you use? -- Milian Wolff http://milianw.de OpenPGP key: CD1D1393 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : <http://six.pairlist.net/pipermail/markdown-discuss/attachments/20080314/5bdbcd44/attachment.pgp>