Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HtmlEscaping and SafeLinks #181

Closed
wants to merge 6 commits into from
Closed

HtmlEscaping and SafeLinks #181

wants to merge 6 commits into from

Conversation

naNuke
Copy link
Contributor

@naNuke naNuke commented Jun 2, 2014

Hello, I just started using parsedown in my project and love it very much! But since I needed html escaping I made some modifications that I use at the moment. I know that this is already discussed in issue list and possibly being already worked on but I want to share my code just in case it might come in handy.

I tried to stay as much in style of parsedown code as I could.

Also I am sorry that I am not providing test cases for this, but I never worked with any tests and would possibly do it wrong.

  1. The html escaping works simply by providing another identifier for > character in spanTypes and disabling all identifiers for tag, comments and markup handling.
  2. The safe links just check if there is 'javascript:' inside link url.

I did quite bit of testing with various markdown texts and all seem to work properly and by trying to understand the parsedown code, I don't see a reason why this method of escaping should break the intended features of markdown.

@apfelbox
Copy link
Contributor

apfelbox commented Jun 2, 2014

Related to #177 #161

@naNuke
Copy link
Contributor Author

naNuke commented Jun 2, 2014

Changed my mind about the test cases since there were some small issues.

Now everything should work as intended.

@naNuke
Copy link
Contributor Author

naNuke commented Jun 2, 2014

Hopefully last change, initially thought that removing the indentifiers from the types array would be better for performance but then figured out it might be huge pain to extend so moved the blocks into identify methods instead, feels much better now.

Cheers :)

@naNuke naNuke closed this Oct 10, 2014
@naNuke naNuke deleted the HtmlEscapeAndSafeLink branch October 10, 2014 13:32
@erusev
Copy link
Owner

erusev commented Oct 10, 2014

@naNuke

I apologise for neglecting this for so long.

I was wondering if you saw the MarkupEscaped option in the latest release and if it resolves the issue that your pull request tries to resolve.

p.s. You can test the option at http://parsedown.org/demo?set[MarkupEscaped]=1

@naNuke
Copy link
Contributor Author

naNuke commented Oct 10, 2014

Yes that is why I closed the request :) tho it doesnt add "safelinks" and I didnt see escaping of html comments which can be used for xss attacks in internet explorer but my pull request is outdated anyway so would have to remake it anyway :P

@erusev
Copy link
Owner

erusev commented Oct 10, 2014

Thanks! I'd appreciate a pull request that addresses the escaping of comments. It should be as simple as possible, though and strictly focused on the issue it resolves.

As to "safelinks", I'd love to discuss these in a separate issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants