tags:

views:

69

answers:

0
+1  Q: 

After escaping html chars with CakePHP's Santiize::html() is it secure to unescape chars like *() inorder for the markdown parser to work?

Before displaying user posts I run them though Sanitize::html() to escape all html. But it escapes some of the chars that are used for the Markdown parser.

This is what I want: I'm testing this markdown. Try clicking here

This is what I get: I'm testing this markdown. Try [clicking](http://www.google.com) here

So I'm wondering if it is okay to unescape the markdown chars or is that going to leave me open to some XSS exploit?

related questions

How can I make spotlight index markdown files?
What markup language for richly formated content?
Markdown in outlook
What tools does your team use for writing user manuals?
What is the best way to store and display markdown-entered text?
Markdown and image alignment
Design Pattern to apply conversion to multiple properties in multiple classes
How to validate Markdown?
Convert HTML back to Markdown for editing in wmd
How do I get python-markdown to additionally "urlify" links when formatting plain text?
Bookmarklet link in Markdown document
How would you go about auto-detecting Textile versus Markdown?
Vim Markdown highlighting (list items and code block conflicts)
Is there any good Markdown Javascript library or control?
Saving contents of the WMD Editor Control
How do you store the markdown using WMD in asp.net?
Regular expression to convert mark down to HTML
Processing Javascript RegEx submatches
HTML to Markdown with Java
How do you get double-underscores to display in markdown?
How can I get markdown to format this code properly ?
Markdown versus ReStructuredText
A WYSIWYG Markdown control for Windows Forms?
Markdown vs markup - are they related?
Are there any tools to convert Markdown documents to HTML en masse?