Yesterday we saw an interesting discussion about SQL injection vulnerabilities exposed by a Github search [1]. So I thought I'd do something similar, but with a slightly more sophisticated and somewhat less visible vulnerability: unsanitized Markdown output.
Public Service Announcement: Markdown does not sanitize anything. Markdown output can contain anything from <script> to <iframe>. Displaying the raw output of Markdown is just as dangerous as displaying any piece of HTML. Always pass the output of Markdown through a proper sanitization library, such as HTML Purifier [2], unless you're absolutely sure that the input is trusted.
Public Service Announcement: Markdown does not sanitize anything. Markdown output can contain anything from <script> to <iframe>. Displaying the raw output of Markdown is just as dangerous as displaying any piece of HTML. Always pass the output of Markdown through a proper sanitization library, such as HTML Purifier [2], unless you're absolutely sure that the input is trusted.
[1] https://news.ycombinator.com/item?id=5805025
[2] http://htmlpurifier.org/