Is Markdown (with strip_tags) sufficient to stop XSS attacks?

Question

I\'m working on a web application that allows users to type short descriptions of items in a catalog. I\'m allowing Markdown in my textareas so users can do some HTML format

Answer 1

No. The way you are using Markdown is not secure. Markdown can be used securely, but you have to use it right. For details on how to use Markdown securely, look here. See the link for details about how to use it safely, but the short version is: it is important to use the latest version, to set safe_mode, and to set enable_attributes=False.

The link also explains why escaping the input and then calling Markdown (as you are doing) is not sufficient to be secure. Short example: "[clickme](javascript:alert%28%22xss%22%29)".