For my post entity i store both HTML and MARKDOWN in database (HTML is converted from MARKDOWN). HTML is for rendering on page and MARKDOWN for editing ability (with WMD). I sanitize HTML before storing to db. Question is: should i sanitize markdown too? or it is xss-safe if i only pass it to wmd-editor?
相关问题
- Views base64 encoded blob in HTML with PHP
- Is there a way to play audio on a mobile browser w
- HTML form is not sending $_POST values
- implementing html5 drag and drop photos with knock
-
Why does the box-shadow property not apply to a
Markdown can contain arbitrary HTML; this is explicitly allowed. So you should sanitise it too, or at least sanitise the result of converting it to HTML, before sending to web clients.
I remember that one of the exploits possible with SO in the early days is that you could put JS content in the Markdown, and whoever edited your article would trigger those scripts in the preview. I don't know if this is fixed yet.
I've noticed that you "sanitize HTML before storing to db" and speak of xss-safe in the next sentence. Those are two different facets of input validation, and you should not mix them up, and address both in your design:
You should safely insert any user input into the database, i.e. make sure the input is properly escaped (mysql_real_escape_string, stored procedures, ORM libraries, etc.)
You should safely output to HTML / JS (including input to WMD), removing or escaping any sequences that can be turned into XSS exploits and other unpleasantness.
As to the question, I agree with Chris - since Markdown can include HTML, it must be sanitized.
Just an addition:
This question came from using WMD