Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No method to escape Markdown user input without breaking block quotes #200

Closed
gytdau opened this issue Oct 31, 2015 · 7 comments
Closed

No method to escape Markdown user input without breaking block quotes #200

gytdau opened this issue Oct 31, 2015 · 7 comments

Comments

@gytdau
Copy link

gytdau commented Oct 31, 2015

There's no satisfactory way to escape user-submitted Markdown as it uses the the angle bracket > for a block quote, which is escaped into > by default.

Example:

# Title 1

<script src="example.com"></script>

> Blockquote

Escaped:

# Title 1

&lt;script src=&quot;example.com&quot;&gt;&lt;/script&gt;

&gt; Blockquote

The issue here is that the blockquote is no longer recognized as valid Markdown. One solution could be adding your own escape function that ignores all right-angle brackets that are the first character on a line, which would instead convert it to:

# Title 1

&lt;script src=&quot;example.com&quot;&gt;&lt;/script&gt;

> Blockquote

... which then would result in the expected Markdown, with the blockquote intact. Another solution would be to treat the characters &gt; as the right angle bracket itself.

I'm not sure about the impact or complexity of these solutions, so feel free to just throw them out the window.
@GrahamCampbell
Copy link
Member

NB, the spec is https://github.com/jgm/CommonMark, so, this issue probably belongs on commonmark itself, rather than this implementation of it.

@colinodell
Copy link
Member

It might be possible if you tinker with adding/removing/adjusting the HTML
parsers/renderers. I'd like to simplify this though because it's a common
use case. Basically we'll add a simple config setting to toggle whether
HTML should be left as-is or be escaped.

I'm currently out-of-town and I'll be very busy over the next few weeks, so
it may not get done right away.

On Sat, Oct 31, 2015, 4:31 AM Graham Campbell notifications@github.com
wrote:

NB, the spec is https://github.com/jgm/CommonMark, so, this issue
probably belongs on commonmark itself, rather than this implementation of
it.


Reply to this email directly or view it on GitHub
#200 (comment)
.

@GrahamCampbell
Copy link
Member

Would still be nice if we could get this into the official spec in some way since it's surely a pretty common thing people want from markdown.

@colinodell
Copy link
Member

Based on my research, the spec maintainers have decided that this doesn't belong in the spec:

The JS reference parser has implemented a safe configuration option which is basically what I'd like to replicate: commonmark/commonmark.js@57a1ae3

@colinodell colinodell mentioned this issue Nov 1, 2015
Merged
@colinodell
Copy link
Member

@gytdau Please take a look at #201 and let me know what you think.

@gytdau
Copy link
Author

gytdau commented Nov 1, 2015

@colinodell That looks great.:thumbsup:

@colinodell
Copy link
Member

#201 has been merged. I'll try to tag a new release later today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@colinodell @GrahamCampbell @gytdau