1. 23

  2. 8

    Definitely a recommended read!

    So you have to take a different approach. If you’re using Markdown, you can either:

    1. Allow them to only enter pure Markdown, and convert that to HTML on render (many Markdown libraries allow raw HTML by default; be sure to disable that). This is the most secure option, but also more restrictive.
    2. Allow them to use HTML in the Markdown, but only a whitelist of allowed tags and attributes, such as <a href=”…”> and <img src=”…”>. Both Stack Exchange and GitHub take this second approach.

    I would like to add a word of caution here for thinking twice before attempting the whitelisting approach. For HTML there might be good tools around already, but in other situations it might be even more risky.

    Even if you are careful, things can go horribly wrong. Doing things differently is often more work, but the outcome is more predictable.

    1. 4

      I just want to add that common web frameworks like Laravel are doing this through their templating system.

      1. 2

        Never filter input, validate input! And then escape output.

        1. 1

          Yet another blogpost without web tag, trying to approach the common problem only from webdev’s standpoint.

          1. 1

            Thirty years on and we’re still arguing about Postel’s Law…

            1. 3

              We’ve learned a lot since. Martin Thomson’s internet draft as a response is certainly a good read https://tools.ietf.org/html/draft-iab-protocol-maintenance-04 . See also other criticism listed at https://en.wikipedia.org/wiki/Robustness_principle#Criticism