I worked the last 2 days on WMD and Markdown , and I did not find a solution for the stock data with security. I would like for users to be able to host HTML / XML <code> (with WMD) on my site.
I currently have Markdown format data, but if I turn off JavaScript, the user can easily click XSS. If I strip_tagsor html_entitiesall the data, I lose the custom HTML / XML <code>. How can i do this?
In my opinion, I should html_entitiesjust code between pre / pre, but how ?! My details are in Markdown.
After that, I can do to disable XSS attributes:
<img src="javascript:alert('xss');" />
source
share