views:

69

answers:

0

Before displaying user posts I run them though Sanitize::html() to escape all html. But it escapes some of the chars that are used for the Markdown parser.

This is what I want: I'm testing this markdown. Try clicking here

This is what I get: I'm testing this markdown. Try [clicking](http://www.google.com) here

So I'm wondering if it is okay to unescape the markdown chars or is that going to leave me open to some XSS exploit?