Le 2008-03-14 à 16:38, Waylan Limberg a écrit :
Regarding the security issues, I understand your concerns, but there
are some situations were all document authors are trusted
(authenticated) users and have a legitimate need for that feature. We
can't cut them off for everyone else. However, I know that
Python-Markdown has an option to not allow any html in a document
(this "safe_mode" can be set to either replace with a customizable
message, remove completely, or escape the html). Of course, to stay in
line with the Markdown standard, it is off by default, but very easy
to turn on in your code. Other implementations may offer a similar
option.
"Safe mode" you say?
PHP Markdown also has a no-markup mode which would filter script tags
and any other HTML tags. But this doesn't prevent anyone from
inserting their own script on the page. Do you know you can inject a
script in a URL? Guess what this does:
[link](javascript:alert%28'Hello%20world!'%29)
There is also a browser (IE I think) which automatically execute
javascripts used as the source URL for an image, so this could also
work in some cases:
Michel Fortin
[EMAIL PROTECTED]
http://michelf.com/
_______________________________________________
Markdown-Discuss mailing list
Markdown-Discuss@six.pairlist.net
http://six.pairlist.net/mailman/listinfo/markdown-discuss
