reply
Why this? This is not a working blacklist to prevent XSS (e.g. onload="...")
A document that contains these tags will not be parsed properly by an HTML5 compliant parser; the parser will "swallow" other chunks of Markdown content that come after the tags. Hence, we disable the tags altogether.
This is an UX feature, not a security feature. XSS prevention, and a plethora of other security checks, are performed by our user content stack -- but this functionality is shared for all markup languages in GitHub (MD, RST, ASCIIDOC, ...), so it's not discussed in this spec.
I think its quite difficult to do though.
Hopefully now that Github has standardised their own flavour of it (and quite a nice flavour too), more people will start to use it.
Of course there is the obligatory XKCD: https://xkcd.com/927/
reply