Preprocessing markdown is something extremely difficult to get right...
Le 2008-03-14 à 16:57, Petite Abeille a écrit :
Or one could preprocess the text directly before rendering it, e.g.:
aText = aText:gsub( '(`?)(<.->)(`?)', '`%2`' )
aText = markdown( aText )
aText = aText:gsub( '(`)(<.->)(`)', '%2' )
That looks rather hackish and trivial to work around if you want to
inject random HTML. It may protect the user from accidentally
inserting HTML, but it will only detract for a couple of seconds
someone voluntarily seeking to do it. What would it do with this for
instance?
``<script <!--
alert("Hello world!")
</script <>```
If I understand the preprocessing, the example string would be
unchanged after preprocessing. When passed through PHP Markdown and
Markdown.pl (tried on the Dingus), this will pop an alert.
Or at least this is what Nanoki, a wiki engine implemented in Lua,
does to protect the innocent from shooting themselves in the foot :)
http://svr225.stepx.com:3388/nanoki
Try to edit the online demo:
http://svr225.stepx.com:3388/test
As expected, the example above pops an alert. I'm not sure why, but
even this one works:
<script <!--
alert("Hello world!")
</script <>
In theory, functional anomalies aside, Nanoki's pages should always
render as valid XHTML.
Practice always defies theory once the theory is put in practice.
Michel Fortin
[EMAIL PROTECTED]
http://michelf.com/
_______________________________________________
Markdown-Discuss mailing list
Markdown-Discuss@six.pairlist.net
http://six.pairlist.net/mailman/listinfo/markdown-discuss
