Using Markdown with Sanitization

Websites often use Markdown to allow their users to create content. It provides a lightweight markup language that can be converted to HTML and other formats by many common libraries.

There has been some recent discussion in the news about Markdown based XSS exploits in major websites like Pastebin.

We also heard about this Markdown XSS issue during a recent presentation at the LocoMoco Security Conference.

The root of the issue it that Markdown specification actively encourages HTML in Markdown, but that isn’t a good default for sites who are worried about code injection attacks.



I’ve spent the last few weeks thinking about React from a secure coding perspective. Since React is a library for creating component based user interfaces, most of the attack surface is related to issues with rendering elements in the DOM. The smart folks over at Facebook have handled this by building automatic escaping into the React DOM library code.

Built-in Escaping is Limited

The escaping code in React DOM works great when you are passing a string value into [...children] . Notice the other two arguments to React.createElement type and [props], values passed into them are unescaped.

// From…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store