miyuchina
commented
5 years ago Thank you for this--I don't actually think, though, that it is up to the parser to strip user input of malicious content. Especially since mistletoe is written in Python, its output is less likely (than some JavaScript parsers, at least) to be hooked directly into a front-end. Stripping html tags, as discussed in #74, might be a possibility, but still cannot prevent XSS injections completely, and I don't feel capable doing a security audit of Markdown anyways.
This came up in my brief research of the topic, which might also be helpful: Showdown, a JavaScript parser, recommends that users do XSS filtering after the Markdown parser has finished producing HTML.
Sorry I won't be able to fix this. I'll nevertheless add a note in the documentation about XSS injections, and I'll keep this issue open for now.
download the file(https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt) rename to 123.md
run
mistletoe 123.md > out.htmlopen
out.htmlhow to fix it,
thank you very much