Cross Site Scripting issue in Standard Markdown example at try.standardmarkdown.com

I have always been and continue to be of the opionion that it’s not Markdown’s job to sanitize anything. Markdown should allow you to create anything you want, including script tags. I’m writing my own blog in Markdown, and I want to be able to write any JavaScript I want there.

Now, for places where Markdown is being used for user-generated content, sanitizing is necessary. But everyone has different requirements here. We could provide some sort of default sanitizer alongside (Stack Exchange does this with PageDown), but in the end everyone will have there own list of things they want to allow or prevent.

4 Likes