Hi Magnus:

I took a look at local_markdown.py, the commonmark spec and the python
implementation. My one concern is that raw html is passed through the
parser.

I wonder if this could be used for some form of attack using html/iframe
or possibly letting a <script> tag skip through. The latter would be
really bad as without the correct restrictions in place it would be
executed.

I think using local_replace to change < into &lt; and > into &gt;
before passing the resulting text to local_markdown will shortcut this
attack, but I am not positive.

However doing so will break markdown email links: <address@example.com>
for example. It may also have some other unwanted side effects.

I didn't see an obvious way to patch/modify the commonmark library
to neuter html and wrap it in <pre> blocks. Alternatively prevent
some tags (e.g. iframe, script) from being recognized as a block.
Maybe this can be done by modifying reHtmlBlockOpen, or monkey patching
a class may work. My python knowledge isn't good enough to say.

Also have you considered implementing a document preview mode to allow
web entry of commonmark to be tested before it is committed?

-- rouilj