I'm working on a web application that allows users to type short descriptions of items in a catalog. I'm allowing Markdown in my textareas so users can do some HTML formatting.
My text sanitization function strips all tags from any inputted text before inserting it in the database:
public function sanitizeText($string, $allowedTags = "") {
$string = strip_tags($string, $allowedTags);
if(get_magic_quotes_gpc()) {
return mysql_real_escape_string(stripslashes($string));
} else {
return mysql_real_escape_string($string);
}
}
Essentially, all I'm storing in the database is Markdown--no other HTML, even "basic HTML" (like here at SO) is allowed.
Will allowing markdown present any security threats? Can markdown be XSSed, even though it has no tags?
Sanitizing the resulting HTML after rendering the Markdown is going to be safest. If you don't, I think that people would be able execute arbitrary Javascript in Markdown like so:
[Click me](javascript:alert\('Gotcha!'\);)
PHP Markdown converts this to:
<p><a href="javascript:alert('Gotcha!');">Click me</a></p>
Which does the job. ...and don't even think about beginning to add in code to take care of these cases. Correct sanitization isn't easy, just use a good tool and apply it after you render your Markdown into HTML.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With