XSS vulnerability #120

haampie opened this Issue Apr 28, 2014 · 3 comments


None yet

4 participants

haampie commented Apr 28, 2014

See for instance


It is possible to create javascript links with [some text](javascript:alert('xss'))

@driesvints driesvints added this to the 2.0 milestone May 18, 2014
@driesvints driesvints self-assigned this May 21, 2014
barryvdh commented Jul 2, 2014

So is that in this forum, or is that a bug in the markdown parser (michelf/php-markdown)?
See also: michelf/php-markdown#160, michelf/php-markdown#156, michelf/php-markdown#106 etc


You could always shove the output from php-markdown through my robust xss protector https://github.com/GrahamCampbell/Laravel-Security.

@driesvints driesvints modified the milestone: 2.0, 2.1 Aug 17, 2014
@driesvints driesvints removed the blocker label Aug 17, 2014
@driesvints driesvints removed their assignment Aug 17, 2014
This was referenced Aug 25, 2014

Fixed in #163

@driesvints driesvints closed this Sep 4, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment