Markdown doesn't always generate XHTML

[Michel Fortin]

Preprocessing markdown is something extremely difficult to get right...

Le 2008-03-14 à 16:57, Petite Abeille a écrit :


> Or one could preprocess the text directly before rendering it, e.g.:

>

> aText = aText:gsub( '(`?)(<.->)(`?)', '`%2`' )

> aText = markdown( aText )

> aText = aText:gsub( '(`)(&lt;.-&gt;)(`)', '%2' )


That looks rather hackish and trivial to work around if you want to  
inject random HTML. It may protect the user from accidentally  
inserting HTML, but it will only detract for a couple of seconds  
someone voluntarily seeking to do it. What would it do with this for  
instance?

     ``<script <!--
     alert("Hello world!")
     </script <>```

If I understand the preprocessing, the example string would be  
unchanged after preprocessing. When passed through PHP Markdown and  
Markdown.pl (tried on the Dingus), this will pop an alert.



> Or at least this is what Nanoki, a wiki engine implemented in Lua,  

> does to protect the innocent from shooting themselves in the foot :)

>

> http://svr225.stepx.com:3388/nanoki

>

> Try to edit the online demo:

>

> http://svr225.stepx.com:3388/test


As expected, the example above pops an alert. I'm not sure why, but  
even this one works:

     <script <!--
     alert("Hello world!")
     </script <>



> In theory, functional anomalies aside, Nanoki's pages should always  

> render as valid XHTML.



Practice always defies theory once the theory is put in practice.


Michel Fortin
michel.fortin at michelf.com
http://michelf.com/