wmd editor, why does it keep showing html instead of just going straight to markup

Question

hi,

im wondering how wmd is supposed to work,

when i type in the textarea the text doesnt have html, but once the text is stored in db it turns to html. wmd also shows all this html when reloading the content? is it supposed to work like this?

Do I have to sanitize the text before its put into the db? if so how? I thought wmd doesnt deal with html? except in code blocks. Also there are p tags being added

Using the beneath html it gets added directly. I guess this could cause xss attacks?

 - (1) <a onmouseover="alert(1)"
   href="#">read this!</a>

 - (2) <p <script>alert(1)</script>hello

 - (3) </td
   <script>alert(1)</script>hello

I wonder how is wmd supposed to work? I thought it was supposed to enter everything in its own mark up, store its on mark up and retrieve it etc. instead of storing plain html

Chees Ke

Answer 1

been waiting ages and cant seem to get any answers for this, would appreciate if someone can help me out.

i write a comment in the wmd editor and it works fine as markdown, then save, then when i go to edit the comment it displays in HTML. If I change wmd_options from Markdown to HTMl i get the opposite. What i want is for the comment to always be displayed in markdown except for between code tags.

I am wondering how SO does accomplishes the following:

1. Use the preview to insert malicious code and only renders as text (unless the code is written in <code> tags)
2. Render the saved comment as markdown as opposed to HTML, so the user can keep editing the comment.

Unfortunately it seems these two most simple things I cant seem to accomplish even after days and days of searching etc.

Would appreciate some help

cheers Ke

Answer 2

Anyone going to answer this???