On Markup Languages and Security

As many of you noticed, a couple of weeks ago we changed up the formatting on the site. This was done for security - A severe XSS vulnerability was found in our Markdown parser as well as a potential security issue in our Safe HTML parser, and we moved fast to disable them when it was discovered.

At the same time, we decided to go ahead and actually deprecate parsers that were considered deprecated internally for quite some time - Textile, Curse Wiki and Safe HTML.

In retrospect, this was shortsighted, and we should not have deprecated Safe HTML. Since we made the determination internally to deprecate it, it has seen a huge rise in popularity, primarily in the Bukkit Dev community, and we had not factored in this new usage. We moved fast on the security, and made a rash decision in the heat of the moment to deprecate it without re-evaluating usage. For that we apologize.

With that out of the way, I'm happy to announce that Safe HTML is back, and the same HTML subset is available if you use markdown.

The new and improved Safe HTML (and Markdown) supports the following tags:

a, abbr, b, big, blockquote, br, caption, code, dd,
del, dl, dt, em, h1, h2, h3, h4, h5, h6, hr, i,
img, li, ol, p, pre, s, small, strike, strong, sub,
sup, table, tbody, td, tfoot, th, thead, tr, ul

And attributes:

alt, colspan, href, rowspan, src, title

Note that both tags and attributes must be lowercase. Uppercase is no longer supported.

If you have any tags and attributes you'd like to see supported, let us know in the comments below, and we will consider adding them.

Have a good weekend.