Menu
▾
▴
[Python-markdown-discuss] Bug or Feature in link handling
|
From: G. M. <gr...@mu...> - 2008-07-17 20:31:01
|
Hello,
i recently tried if i could hijack my own site to test if it is secure enough.
I tried to post the following snippet:
[What is the answer?](javascript:alert(42);)
but this would simply give me
<p><a href="javascript:alert(1">test</a>;)\n</p>
Though i have discovered that this is achievable with the perl
implementation of markdown with a backslash in front of the first )
It looks like that:
[What is the answer?](javascript:alert(42\);)
and it works!
Ok it's cool that there cannot be any javascript with parantheses...
but this would also prevent users to post links to wikipedia like
"http://en.wikipedia.org/wiki/Phone_(disambiguation)".
Is this a bug? Or a feature? Or a not quite well defined thing in the
markdown specs?
Thanks for your attention :-)
Gregor
|
