On Markup Languages and Security

As many of you noticed, a couple of weeks ago we changed up the formatting on the site. This was done for security - A severe XSS vulnerability was found in our Markdown parser as well as a potential security issue in our Safe HTML parser, and we moved fast to disable them when it was discovered.

At the same time, we decided to go ahead and actually deprecate parsers that were considered deprecated internally for quite some time - Textile, Curse Wiki and Safe HTML.

In retrospect, this was shortsighted, and we should not have deprecated Safe HTML. Since we made the determination internally to deprecate it, it has seen a huge rise in popularity, primarily in the Bukkit Dev community, and we had not factored in this new usage. We moved fast on the security, and made a rash decision in the heat of the moment to deprecate it without re-evaluating usage. For that we apologize.

With that out of the way, I'm happy to announce that Safe HTML is back, and the same HTML subset is available if you use markdown.

The new and improved Safe HTML (and Markdown) supports the following tags:

a, abbr, b, big, blockquote, br, caption, code, dd,
del, dl, dt, em, h1, h2, h3, h4, h5, h6, hr, i,
img, li, ol, p, pre, s, small, strike, strong, sub,
sup, table, tbody, td, tfoot, th, thead, tr, ul

And attributes:

alt, colspan, href, rowspan, src, title

Note that both tags and attributes must be lowercase. Uppercase is no longer supported.

If you have any tags and attributes you'd like to see supported, let us know in the comments below, and we will consider adding them.

Have a good weekend.

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of tyzoid tyzoid Jun 12, 2012 at 20:29 UTC - 0 likes
    <<reply 753416="">> Cool. <font color="#f00">I also see that the font tag has been removed. Any particular reason for this either</font> I used them extensively in my project, and I don't see any alternate for them :/ Colors
    My plugins:Colors, ChestTrap (WIP)
  • Avatar of prencher prencher Jun 12, 2012 at 18:58 UTC - 0 likes

    @zachbora: Go

    We don't support underlining because it is often confused with links and on top of that makes for very bad typography (it changes the shape of the word). Instead, you should use the em or strong tags for emphasis.

    @tyzoid: Go

    Style is not supported because it'd allow undesirable control over the layout. We may in the future support a subset of style parameters, but it is not planned for at this time.

    Last edited Jun 12, 2012 by prencher
  • Avatar of tyzoid tyzoid Jun 11, 2012 at 20:19 UTC - 0 likes

    Any possibility supporting the style attribute?

    At any rate, thank you very much for the return of safe html.

    Last edited Jun 11, 2012 by tyzoid
  • Avatar of zachbora zachbora Jun 11, 2012 at 14:14 UTC - 0 likes

    Why is <u> not supported? Is it dangerous or is there an alternative?

  • Avatar of pyraetos pyraetos Jun 01, 2012 at 20:48 UTC - 0 likes

    Thank you! That was fast!

    pyraetos BFAK:pyraetos,74694,8641fdc68f36ccaf6606863662f8dce1e653b1a30ac4dd8ebd84ad2d8a636de7

  • Avatar of TnTBass TnTBass Jun 01, 2012 at 19:42 UTC - 0 likes

    That made a return much faster that I hoped.  Thank you sir.


  • Avatar of gravity_low gravity_low Jun 01, 2012 at 19:34 UTC - 0 likes

    Thanks for this update! I know a lot of BukkitDev users will be very glad to see the return of Safe HTML.


Date created
Jun 01, 2012
Last updated
Jul 02, 2012