Markdown and XSS

Question

Ok, so I have been reading about markdown here on SO and elsewhere and the steps between user-input and the db are usually given as

1. convert markdown to html

Answer 1

Please see this link:

http://michelf.com/weblog/2010/markdown-and-xss/

> hello  href="javascript:alert('xss')">*you*

Becomes

 
hello you

∴​ you must sanitize after converting to HTML.