Menu
For my post entity i store both HTML and MARKDOWN in database (HTML is converted from MARKDOWN). HTML is for rendering on page and MARKDOWN for editing ability (with WMD). I sanitize HTML before storing to db. Question is: should i sanitize markdown too? or it is xss-safe if i only pass it to wmd-editor?
489
Markdown can contain arbitrary HTML; this is explicitly allowed. So you should sanitise it too, or at least sanitise the result of converting it to HTML, before sending to web clients.
I remember that one of the exploits possible with SO in the early days is that you could put JS content in the Markdown, and whoever edited your article would trigger those scripts in the preview. I don't know if this is fixed yet.
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
