On Markup Languages and Security

As many of you noticed, a couple of weeks ago we changed up the formatting on the site. This was done for security - A severe XSS vulnerability was found in our Markdown parser as well as a potential security issue in our Safe HTML parser, and we moved fast to disable them when it was discovered.

At the same time, we decided to go ahead and actually deprecate parsers that were considered deprecated internally for quite some time - Textile, Curse Wiki and Safe HTML.

In retrospect, this was shortsighted, and we should not have deprecated Safe HTML. Since we made the determination internally to deprecate it, it has seen a huge rise in popularity, primarily in the Bukkit Dev community, and we had not factored in this new usage. We moved fast on the security, and made a rash decision in the heat of the moment to deprecate it without re-evaluating usage. For that we apologize.

With that out of the way, I'm happy to announce that Safe HTML is back, and the same HTML subset is available if you use markdown.

The new and improved Safe HTML (and Markdown) supports the following tags:

a, abbr, b, big, blockquote, br, caption, code, dd,
del, dl, dt, em, h1, h2, h3, h4, h5, h6, hr, i,
img, li, ol, p, pre, s, small, strike, strong, sub,
sup, table, tbody, td, tfoot, th, thead, tr, ul

And attributes:

alt, colspan, href, rowspan, src, title

Note that both tags and attributes must be lowercase. Uppercase is no longer supported.

If you have any tags and attributes you'd like to see supported, let us know in the comments below, and we will consider adding them.

Have a good weekend.

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of storm345 storm345 Feb 25, 2013 at 07:39 UTC - 0 likes

    How can you embed youtube using safe html?


  • Avatar of RingOfStorms RingOfStorms Aug 29, 2012 at 23:22 UTC - 0 likes

    Would like to see font color.


  • Avatar of Phanx Phanx Aug 20, 2012 at 07:21 UTC - 0 likes

    Would you consider supporting data URIs in the src attribute for img tags? Currently they just get turned into "broken image" placeholders.

  • Avatar of Phanx Phanx Jul 22, 2012 at 11:48 UTC - 0 likes

    Is there any way to get IDs on headings now? It was really useful to be able to put a link at the top of the description that sent users to the "How to report a bug" section further down the page.

    Headings used to get auto-generated IDs (eg. "How to report a bug" would get an ID of "c-how-to-report-a-bug" which could be linked to with href="#c-how-to-report-a-bug") but this does not seem to be happening anymore, either on WowAce.com or on Curse.com. Creole, Markdown, and Safe HTML all generate semantically recognizable headings (eg. h1-h6) so it shouldn't be too hard to re-implement.

    It would also be nice to have some way of floating images to the left or right. Most images aren't even close to the full width of the page, so they look kind of silly with a bunch of blank space next to them. I understand that "style" is out of the question, so I'm not sure how this could be implemented.

    Last edited Jul 28, 2012 by Phanx
  • Avatar of Hidendra Hidendra Jul 07, 2012 at 17:47 UTC - 0 likes

    could you also add back alignment tags to markdown? e.g most useful one being <center>

    this was lost and I don't see any other way of centering. Right now, my previous <center> tag is centering the image by itself but is of course not optimal :P

  • Avatar of KeybordPiano459 KeybordPiano459 Jul 06, 2012 at 00:28 UTC - 1 like

    Could you possibly allow the style and/or iframe tags?

  • Avatar of prencher prencher Jun 18, 2012 at 16:52 UTC - 0 likes

    @Phanx: Go

    Markdown is Markdown. However, the Safe HTML subset is also available when using Markdown.

  • Avatar of Phanx Phanx Jun 18, 2012 at 08:07 UTC - 0 likes

    I see definition lists (dl, dt, dd) are supported in Safe HTML, and the post mentions that the same HTML subset is available in Markdown. However, the official Markdown syntax doesn't support definition lists, and the CurseForge syntax info page just points to the official Markdown page for syntax info.

    Are you guys actually using one of the Markdown extensions that supports definition lists? If so, what's the syntax?

  • Avatar of feildmaster feildmaster Jun 16, 2012 at 19:40 UTC - 0 likes

    I would like the ability to use safeHTML in wikicreole. :P

    But the serious suggestion: attribute width (specifically in tables)

    Last edited Jun 16, 2012 by feildmaster
  • Avatar of prencher prencher Jun 13, 2012 at 01:18 UTC - 0 likes

    @tyzoid: Go

    It again comes down to styling. While there are innocent cases, it enables too much control over the display of the page. We give you access to a lot of data and text formatting, but not style or layout.


Date created
Jun 01, 2012
Last updated
Jul 02, 2012