Sunday, 30 September 2012

Security implications of Markdown transformations

For the next version of O2 and TeamMentor I really would like to move to a Markdown world, where the content is stored as markdown and we use a C# markdown transformer to create the HTML.

At the moment there seems to be two good C# markdown APIs:
My questions are:
  • What are the security implications of these engines?
  • How good are they at handling malicious input?
  • Has there been a Thread-Model / Security review done?
  • Is XSS possible?
  • What other vulnerabilities exists?
  • How can they be used securely?