I want to build a blog, and with that users can write and submit markdown content to my server postgresql, in which would be fetched and generated on client side when published. However, I think this would run into a XSS attack. What are common strategy to this problem?
CodePudding user response:
Markdown itself doesn't introduce any XSS attacks problems. The problems arise when you try to convert it to HTML.
What you want to do is verify that when you render it, you escape text inside tags.
e.g. you have # Some Title with <script> </script>
This will become <h1>Some Title with <script> </script></h1>
. This will cause a problem, but if you would escape HTML symbols in the text you would get this
<h1>Some Title with <script> </script> </h1>