Is Markdown (with strip_tags) sufficient to stop XSS attacks?

Question

I\'m working on a web application that allows users to type short descriptions of items in a catalog. I\'m allowing Markdown in my textareas so users can do some HTML format

Answer 1

Sanitizing the resulting HTML after rendering the Markdown is going to be safest. If you don't, I think that people would be able execute arbitrary Javascript in Markdown like so:

[Click me](javascript:alert\('Gotcha!'\);)

PHP Markdown converts this to:

Click me

Which does the job. ...and don't even think about beginning to add in code to take care of these cases. Correct sanitization isn't easy, just use a good tool and apply it after you render your Markdown into HTML.