Menu
▾
▴
Re: [Python-markdown-discuss] Bug or Feature in link handling
|
From: Yuri T. <qar...@gm...> - 2008-07-17 21:44:58
|
First to Gregor: For [foo](bar(\)) Python Markdown actually behaves just like the most recent Perl implementation. http://babelmark.bobtfish.net/?markdown=[foo](bar(\))%0D%0A For [foo](bar()), Python Markdown gives you different, and arguably less intelligent HTML than other implementations: http://babelmark.bobtfish.net/?markdown=[foo](bar())%0D%0A However, other implementations only treat URLs with parenthesis intelligently if the parentheses are balanced, and there is a simple alternative way to link to URLs that have parentheses in them, which is supported by all implementations: [foo][bar] [bar]: http://localhost/bar().html (see http://babelmark.bobtfish.net/?markdown=[foo][bar]%0D%0A%0D%0A[bar]%3A+http%3A%2F%2Flocalhost%2Fbar().html%0D%0A) Yes, this works for Javascript too: [foo][alert] [alert]: javascript:alert(42) http://babelmark.bobtfish.net/?markdown=[foo][alert]%0D%0A%0D%0A[alert]%3A+javascript%3Aalert(42)%0D%0A Does this allow people to do nasty stuff? Yes. However, the consensus on the markdown-discuss list seems to be that preventing XSS attacks is not Markdown's job. The reason is that javascript:alert(42) is just the tip of the iceberg when it comes to cross-site scripting. If you are worried about cross-site scripting, you should get a good XSS filter and run markdown output through it. And in my opinion, the only way to do it right is to parse the output and filter it so that only stuff that you know is safe passes through. You can't fight XSS by black-listing a few keywords like "javascript". Now, given that we already have a "safe" option that filters out user's HTML, I would be open to also stripping out (in "safe" mode) any links that do not start with one of a small number of prefixes known to be (relatively) safe (e.g., "/", "#", "http://", "https://", "mailto://"). However, this would only make sense in "safe" mode, when user-supplied HTML is already being removed. To Blake: > http://maps.google.com/maps?f=q&hl=en&geocode=&q=Summerhill+and+MacLennan&sll=43.687177,-79.371672&sspn=0.021661,0.037594&ie=UTF8&t=h&z=16 > and watched it completely fail In this case, I don't actually see what the problem would be. It seems to work fine for me. - yuri -- http://sputnik.freewisdom.org/ |
