HTML::StripScripts and markdown incompatibilities
David Chambers
david.chambers.05 at gmail.com
Tue Aug 24 09:09:21 EDT 2010
Louis-David Mitterrand
<vindex+lists-markdown-discuss at apartia.org<vindex%2Blists-markdown-discuss at apartia.org>
> wrote:
Should I save the raw unfiltered post to DB and then (1) expand markdown and
> (2) filter with StripScripts only when _displaying_ the post? That would
> entail keeping some potentially "unclean" posts in the DB and having to
> StripScripts them repeatedly.
In my opinion the optimal solution is to save each post as is (i.e. as
Markdown), convert the post to HTML when required, strip nasties, and *cache
the result*. This is the approach I employ in Mango <http://mango.io/wtf?>,
and it seems to work well.
David
On 25 August 2010 00:49, Louis-David Mitterrand <
vindex+lists-markdown-discuss at apartia.org<vindex%2Blists-markdown-discuss at apartia.org>
> wrote:
> On Tue, Aug 24, 2010 at 08:41:05AM -0400, Michel Fortin wrote:
> > Le 2010-08-24 à 8:27, Louis-David Mitterrand a écrit :
> >
> > > I'm using perl's HTML::StripScripts to clean out unwanted/broken html
> > > from forum post on my web site but it also removes <http://example.com
> >
> > > or <user at example.com> markdown constructs.
> > >
> > > Any idea how to make these two live together in harmony?
> >
> > Are you calling StripScripts before or after Markdown? You should
> > always filter tags after converting to HTML, as it seems StripScripts
> > was designed to filter HTML, not Markdown-formatted text.
> >
> > Long explanation:
> > <http://michelf.com/weblog/2010/markdown-and-xss/>
>
> Actually I save the forum posts to the DB in non-converted markdown and
> filtered of any unwanted html.
>
> Should I save the raw unfiltered post to DB and then (1) expand markdown
> and (2) filter with StripScripts only when _displaying_ the post? That
> would entail keeping some potentially "unclean" posts in the DB and
> having to StripScripts them repeatedly.
>
> --
> http://www.cruisefish.net
> _______________________________________________
> Markdown-Discuss mailing list
> Markdown-Discuss at six.pairlist.net
> http://six.pairlist.net/mailman/listinfo/markdown-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://six.pairlist.net/pipermail/markdown-discuss/attachments/20100825/335d2b90/attachment.htm>
More information about the Markdown-Discuss
mailing list