Hello, on Friday 13 January 2012 at 16:45, Martin Hofmann wrote: > > I'm only a bit sad about the duplication of work in including different > > markdown engines into fossil. However I like to believe I still have a > > head-start in that I'm already willing to hand over copyright (assuming > > I can keep it over my own independant copy). > > Oh, that I grabbed `discount` is rather coincidental: it is one of the > few C-only implementations (that I know of, the other one being > Fletcher T. Penney's [`multimarkdown`] [1]). Furthermore, it has a BSD- > style licence and is intended to be used as a library.
That's also the only two I knew about when I started writing mine, as explained in http://fossil.instinctive.eu/libupskirt/index > > Also, according to a private communication from a github employee, they > > switched from discount to a fork of my library because of "several > > critical security vulnerabilities that are not quite trivial to fix". I > > haven't been able to gather any further details, but considering how > > wide wiki-append-permissions seem supposed to be, I wouldn't treat wiki > > contents as trusted. > > Didn't know that. On their [website] [2] they (still?) profess to use > `Redcarpet`, a wrapper around the `Sundown` library (that I don't know > much either). Sundown is actually their fork of my libupskirt. It originally shared the name, but it was deemed too politically incorrect, so they renamed it. > Anyway, I'm not fixated on `discount` and would happily try out your > library as well, if that's alright with you. What is needed by me is > basically a simple "string-in-string-out" API. Sure. The link above is the fossil repository of my library, you are welcome to try with it. My library uses its own version of dynamic string buffers and dynamic arrays. I started adapting it to use fossil facilities, which would mean better integration, though I dropped it when other more important things in my life started to go wrong. I will try to dig it out and hopefully finish it. > > But then again, standard markdown allows raw HTML inclusion, so security > > issues will eventually be raised (at least for people like me who would > > not trust wiki contributors with raw HTML). > > You have point. Maybe it is possible to "tame" the generated HTML by > checking for and removing of elements and attributes that are "out of > limits" ...? I would simply forbid any inline HTML, but I might be a bit of an extremist there. Anyway, I don't pretend to have any useful answer at this point, I only wanted to raise the questions. Natacha
pgp5yYdrCZYJ3.pgp
Description: PGP signature
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
