For my post entity i store both HTML and MARKDOWN in database (HTML is converted from MARKDOWN). HTML is for rendering on page and MARKDOWN for editing ability (with WMD). I sanitize HTML before storing to db. Question is: should i sanitize markdown too? or it is xss-safe if i only pass it to wmd-editor?
+6
A:
Markdown can contain arbitrary HTML; this is explicitly allowed. So you should sanitise it too, or at least sanitise the result of converting it to HTML, before sending to web clients.
I remember that one of the exploits possible with SO in the early days is that you could put JS content in the Markdown, and whoever edited your article would trigger those scripts in the preview. I don't know if this is fixed yet.
Chris Jester-Young
2009-08-12 14:48:51
+2
A:
I've noticed that you "sanitize HTML before storing to db" and speak of xss-safe in the next sentence. Those are two different facets of input validation, and you should not mix them up, and address both in your design:
You should safely insert any user input into the database, i.e. make sure the input is properly escaped (mysql_real_escape_string, stored procedures, ORM libraries, etc.)
You should safely output to HTML / JS (including input to WMD), removing or escaping any sequences that can be turned into XSS exploits and other unpleasantness.
As to the question, I agree with Chris - since Markdown can include HTML, it must be sanitized.
MaxVT
2009-08-12 15:51:29