Home/ Questions/Q 3394618
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T04:11:30+00:00

I’m using CKEditor in Markdown format to submit user created content. I would like

  • 0

I’m using CKEditor in Markdown format to submit user created content. I would like to sanitize this content from malicious tags, but I would like to keep the formatting that is the result of the markdown parser. I’ve used two methods that do not work.

Method one

<!--- Sanitize post content --->
<cfset this.text = HTMLEditFormat(this.text)>
<!--- Apply mark down parser --->
<cfx_markdown textIn="#this.text#" variable="parsedNewBody">

Problem For some reason <pre> and <blockquote> are being escaped, and thus I’m unable to use them. Only special characters appear. Other markdown tagging works well, such as bold, italic, etc. Could it be CKEdit does not apply markdown correctly to <pre> and <blockquote>?

Example: If I were to type <pre><script>alert("!");</script></pre> I would get the following: &lt;script&gt;alert(&quot;!&quot;);&lt;/script&gt;

Method two

Same as method one, but reverse the order where the sanitation takes place after the markdown parser has done it’s work. This is effectively useless since the sanitation function will escape all the tags, malicious ones or ones created by the markdown parser.

While I want to sanitize malicious content, I do want to keep basic HTML tags and contents of <pre> and <blockquote> tags!–any ideas how?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are two important sanitizations that need to be done on user generated content. First, you want to protect your database from SQL injection. You can do this by using stored procedures or the <cfqueryparam> tag, without modifying the data.

    The other thing you want to do is protect your site from XSS and other content-display based attacks. The way you do this is by sanitizing the content on display. It would be fine, technically, to do it before saving, but generally the best practice is to store the highest fidelity data possible and only modify it for display. Either way, I think your problem is that you’re doing this sanitization out of order. You should run the Markdown formatter on the content first, THEN run it through HTMLEditFormat().

    It’s also important to note that HTMLEditFormat will not protect you from all attacks, but it’s a good start. You’ll want to look into implementing OWASP utilities, which is not difficult in ColdFusion, as you can directly use the provided Java implementation.

    • 0