Is Markdown (with strip_tags) sufficient to stop XSS attacks?

后端未结

关注

 7  1089

温柔的废话 2020-12-16 01:31

I\'m working on a web application that allows users to type short descriptions of items in a catalog. I\'m allowing Markdown in my textareas so users can do some HTML format

7条回答

悲&欢浪女 (楼主)

2020-12-16 02:24

Here's a lovely example of why you need to sanitize the HTML after, not before:

Markdown code:

>  
>

Rendered as:

Now are you worried?

0 讨论(0)

查看其它7个回答