[simonw]

It's important to remember that most markdown implementations (including his one) cannot be used to provide a safe mechanism for authoring user generated content without opening a site up to XSS vulnerabilities, since markdown allows arbritrary HTML markup.

[McGlockenshire]

Easily solved by proper use of HTMLPurifier on the output.

[phpnode]

Thus negating any speed improvements in the markdown parser....

[Navarr]

Considering you have to run any markdown parser through a sanitizer, the speed improvements still matter.

[phpnode]

The markdown parser should be able to do it in an ideal world. Htmlpurifier is very slow.

edit:

To whoever downvoted me, I'm sorry, was I wrong? The markdown parser has to look at every input byte, obviously it's better to do the HTML sanitation at this level because the HTML parser must also look at every input byte, so, combine them into one pass...

Running HTMLPurifier on the output of the markdown parser is inefficient - it's sanitizing known good elements not just the potentially bad ones, so you're giving it more work to do.