Ask Your Question

HTML input in a question tricks the preview (but not the question page)

asked 2013-06-19 00:09:53 -0600

bochecha's avatar

updated 2013-06-19 00:22:13 -0600

You should click this link:

Click me!

See that popup?

The text formatter for questions should probably sanitize its input, and not accept HTML...

Update: The above only works in the preview while entering a question, not when viewing a question. Fair enough. :)

What about this?

<script type="text/javascript">alert('Booh!');</script>

Update: Same as above, this only throws a popup at my face in the preview, but as you can see the parser actually shows the HTML code, instead of interpreting it. Alright then.

So what about this, then?

<iframe src="">

Your browser does not support iframes.


Alright, iframes are properly escaped as well.

So as it turns out, the bug is not what I originally thought: the problem is that the preview doesn't actually preview what will end up on the question page.

Instead, the problem is that preview interprets the HTML and displays the result, while on the question page, the HTML is properly escaped / sanitized.

To see what I'm talking about, try editing this question. :)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2013-06-19 00:24:45 -0600

bochecha's avatar

updated 2013-06-19 00:26:11 -0600

Obviously, I must try the same things in answers. :D

Click me!

<script type="text/javascript">alert('Booh!');</script> <iframe src="">

Your browser does not support iframes.


The preview of this answer shows the same wrong behaviour as the preview for questions.

Update: But fortunately, when displaying the question page, the parser properly escapes the HTML in this answer.

As for the question, try editing this answer to see what happens. :)

edit flag offensive delete link more


The previewer and the server use separate markdown to html converters, which don't have all the same features.

Evgeny's avatar Evgeny  ( 2013-06-19 06:01:26 -0600 )edit

Well, yes, that's the bug that I've reported here.

bochecha's avatar bochecha  ( 2013-06-19 06:55:09 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2013-06-19 00:09:53 -0600

Seen: 138 times

Last updated: Jun 19 '13