Closed GoogleCodeExporter closed 8 years ago
Luckily, Stack Overflow seems to have an extra layer of protection
(`sanitizeAndSplitTags`, perhaps?) that prevents XSS attacks like this one.
However, it would be useful to have this protection for all Pagedown users.
Original comment by mathias@qiwi.be
on 9 Aug 2012 at 1:40
This is absolutely by design.
Markdown allows you to do whatever you want. After all, you might just be using
it to create your own blog, and you should be able to do whatever you want
there.
And you didn't even have to go through some strange quote-less onload
pseudo-exploit -- <script>alert(1)</script> works just as fine.
Of course if you're using Markdown for user-submitted content, you want to
sanitize. As you said "Luckily, Stack Overflow seems to have an extra layer of
protection [...] However, it would be useful to have this protection for all
Pagedown users."
Well guess what, you have it! From the *introduction* of the documentation
(http://code.google.com/p/pagedown/wiki/PageDown):
It should be noted that Markdown is not safe as far as user-entered input goes.
Pretty much anything is valid in Markdown, in particular something like
<script>doEvil();</script>. This PageDown repository includes the two plugins
that Stack Exchange uses to sanitize the user's input; see the description of
Markdown.Sanitizer.js below.
Original comment by b...@stackoverflow.com
on 9 Aug 2012 at 3:21
*facepalms* Thanks for your patience!
Original comment by mathias@qiwi.be
on 9 Aug 2012 at 3:23
Original issue reported on code.google.com by
mathias@qiwi.be
on 9 Aug 2012 at 1:39