Is Markdown (with strip_tags) sufficient to stop XSS attacks?

Question

I'm working on a web application that allows users to type short descriptions of items in a catalog. I'm allowing Markdown in my textareas so users can do some HTML formatting.

My text sanitization function strips all tags from any inputted text before inserting it in the database:

public function sanitizeText($string, $allowedTags = "") {
    $string = strip_tags($string, $allowedTags);

    if(get_magic_quotes_gpc()) {
        return mysql_real_escape_string(stripslashes($string));
    } else {
        return mysql_real_escape_string($string);
    }
}

Essentially, all I'm storing in the database is Markdown--no other HTML, even "basic HTML" (like here at SO) is allowed.

Will allowing markdown present any security threats? Can markdown be XSSed, even though it has no tags?

Answer 1

Sanitizing the resulting HTML after rendering the Markdown is going to be safest. If you don't, I think that people would be able execute arbitrary Javascript in Markdown like so:

[Click me](javascript:alert\('Gotcha!'\);)

PHP Markdown converts this to:

<p><a href="javascript:alert&#40;'Gotcha!'&#41;;">Click me</a></p>

Which does the job. ...and don't even think about beginning to add in code to take care of these cases. Correct sanitization isn't easy, just use a good tool and apply it after you render your Markdown into HTML.