Markdown doesn't always generate XHTML
Michel Fortin
michel.fortin at michelf.com
Fri Mar 14 23:43:56 EDT 2008
Preprocessing markdown is something extremely difficult to get right...
Le 2008-03-14 à 16:57, Petite Abeille a écrit :
> Or one could preprocess the text directly before rendering it, e.g.:
>
> aText = aText:gsub( '(`?)(<.->)(`?)', '`%2`' )
> aText = markdown( aText )
> aText = aText:gsub( '(`)(<.->)(`)', '%2' )
That looks rather hackish and trivial to work around if you want to
inject random HTML. It may protect the user from accidentally
inserting HTML, but it will only detract for a couple of seconds
someone voluntarily seeking to do it. What would it do with this for
instance?
``<script <!--
alert("Hello world!")
</script <>```
If I understand the preprocessing, the example string would be
unchanged after preprocessing. When passed through PHP Markdown and
Markdown.pl (tried on the Dingus), this will pop an alert.
> Or at least this is what Nanoki, a wiki engine implemented in Lua,
> does to protect the innocent from shooting themselves in the foot :)
>
> http://svr225.stepx.com:3388/nanoki
>
> Try to edit the online demo:
>
> http://svr225.stepx.com:3388/test
As expected, the example above pops an alert. I'm not sure why, but
even this one works:
<script <!--
alert("Hello world!")
</script <>
> In theory, functional anomalies aside, Nanoki's pages should always
> render as valid XHTML.
Practice always defies theory once the theory is put in practice.
Michel Fortin
michel.fortin at michelf.com
http://michelf.com/
More information about the Markdown-Discuss
mailing list