Closed GoogleCodeExporter closed 8 years ago
Although a better approach might be to get the attribute value (i.e. the URL),
set it as the innerHTML of a dummy element’s innerHTML, then retrieve its
innerText/textContent (to unescape all HTML entities) to get the real URL. Then
replace any problematic characters, and afterwards escape special characters as
HTML entities. (Only `&`, `<`, and `"` would need to be escaped as part of a
quoted attribute value, wrapped in double quotes.)
Original comment by mathias@qiwi.be
on 9 Aug 2012 at 12:22
I can't read that user's tweets (they're protected), but as I've already
explained at http://code.google.com/p/pagedown/issues/detail?id=34, there are
no XSS vulnerabilities. Markdown just allows you to do anything you want. As a
webmaster, it's *your* responsibility to sanitze user-entered input (and we
even include the tool for that in this repo).
Original comment by b...@stackoverflow.com
on 9 Aug 2012 at 3:30
Original issue reported on code.google.com by
mathias@qiwi.be
on 9 Aug 2012 at 12:18Attachments: