|
|
|
|
|
|
by cdcarter
802 days ago
|
|
|
Well, the markdown specification allows inline HTML, so that's to be expected. But it's true if you're taking user input as markdown and display it as rendered HTML, you need to think very carefully about escaping and sanitization. |
|
|