Escape from XSS vulnerability maintaining Markdown syntax?

Question

I'm planning to use Markdown syntax in my web page. I will keep users input (raw, no escaping or whatever) in the database and then, as usual, print out and escape on-the-fly with htmlspecialchars().

This is how it could look:

echo markdown(htmlspecialchars($content));

By doing that I'm protected from XSS vulnerabilities and Markdown works. Or, at least, kinda work.

The problem is, lets say, > syntax (there are other cases too, I think).

In short, to quote you do something like this:

> This is my quote.

After escaping and parsing to Markdown I get this:

> This is my quote.

Naturally, Markdown parser do not recognize > as “quote's symbol” and it does not work! :(

I came here to ask for solutions to this problem. One idea was to:

First, parse to Markdown, — then with HTML Purifier remove “bad parts”.

What do you think about it? Would it actually work?

I'm sure that someone had have the same situation and the one can help me too. :)

balpha · Accepted Answer

Yes, a certain website has that exact same situation. At the time I'm writing this, you have 1664 reputation on that website :)

On Stack Overflow, we do exactly what you describe (except that we don't render on the fly). The user-entered Markdown source is converted to plain HTML, and the result is then sanitized using a whitelist approach (JavaScript version, C# version part 1, part 2).

That's the same approach that HTML Purifier takes (having never used it, I can't speak for details though).

Escape from XSS vulnerability maintaining Markdown syntax?

Answers (2)

Related Questions