1

I'm building a site with user-generated content using Pagedown (though any form of Markdown would work), and I wish to store both the original markdown and the sanitized HTML in the database so that users can go back and edit the original input. I'm not sure how to re-display the original markdown safely without being vulnerable to XSS, though. For example, if the user enters the following as their input:

</textarea>
<script>MaliciousCode();</script>

This will be fine when originally entered, since Pagedown sanitizes it and converts it to HTML, this HTML gets sent to the server (which strips non-whitelisted HTML tags again anyways, since I can't trust client-side sanitization alone). But then when the original markdown gets sent back to the client for editing it becomes:

<textarea class="wmd-input" id="wmd-input" name="wmd_area" >
</textarea>
<script>MaliciousCode();</script>
</textarea>

And it is now vulnerable to XSS. Can someone advise how sites that allow editing of stored markdown make this safe, or what better way I should be doing it where this won't be a problem? I know the textarea tag will be stripped since it's not whitelisted, but that would require stripping tags from the original markdown before converting it to HTML, which from what I've read will screw up the original markdown and shouldn't be done.

Chris
  • 11
  • 1
  • Sanitise (whitelist) the original markdown as well. Why do you want to keep the obviously malicious code? Ill-conceived user-friendliness is a cause of many security vulnerabilities. – Vitaly Osipov May 15 '13 at 11:01
  • @agelastic I just wanted to keep the original so users could edit their original input and not necessarily get back a bunch of HTML, which may look very different from that. The problem with your suggestion (afaik) is described [here](http://stackoverflow.com/questions/1690601/markdown-and-xss) and [here](http://michelf.ca/blog/2010/markdown-and-xss/). Specifically, "filter for XSS after Markdown has processed any input, not before. If you filter before, it’ll break some of Markdown’s features and will leave security holes." – Chris May 19 '13 at 19:03
  • What you want is most likely impossible. If security is more important than convenience, then sanitise the resulting HTML and store only that. If convenience is more important, screw XSS protection :) – Vitaly Osipov May 24 '13 at 07:02
  • It seems unlikely that it's impossible, since Stackoverflow and other markdown-using sites do it, and I don't think they're leaving gaping security holes open. I have an idea to use javascript to insert it as text after the page loads, but I haven't experimented with it yet. If it works then I'll update this question or add it as an answer. – Chris May 25 '13 at 02:01

0 Answers0