-
The Markdown can easily contain XSS
Yes, that's why my tool escaped all the <, and why HTML posts won't work in it.
The raw Markdown is only ever supposed to be accessed by the person who made it. You may have just forced me to changed the API ...
Not my intention, tool deleted.
Nick.Earthloop-
Yes, that's why my tool escaped all the <, and why HTML posts won't work in it.
The problem with XSS is that just escaping < isn't enough to defeat it.
But... you can actually trust the HTML we output. If you had used that, I'd embrace the tool and would wonder how to integrate it.
If we had a "HTML to equivalent Markdown" tool, then you could trust the HTML and get back to easily readable and editable Markdown. Something like https://github.com/kates/html2markdown .
That would be good as then we'd have the basis for allowing quoting in a way that was similar to the old way.
But whatever the solution is, you just can't trust the original user Markdown.
Velocio
This is a bad idea. Do not do this.
The value of the Markdown field is untrusted.
The Markdown can easily contain XSS. Whilst you could never put this on a site as we'd process it out... having one user access the raw Markdown of another does create the risk that the user who is using your tool will now be susceptible to any XSS attack put into the Markdown.
The raw Markdown is only ever supposed to be accessed by the person who made it. You may have just forced me to changed the API such that you cannot get the raw Markdown if you are not authenticated as the person who wrote it.