using markdown in a forum?

Aristotle Pagaltzis pagaltzis at
Thu May 6 08:47:36 EDT 2010

* Louis-David Mitterrand <vindex+lists-markdown-discuss at> [2010-05-06 13:25]:

> Fortunately HTML::Scrubber allows denying specific attributes

> based on a regexp:


> 'href' => qr{^(?!(?:java)?script)}i,

> 'src' => qr{^(?!(?:java)?script)}i,


> etc.

Augh, no. You don’t to *forbid* *specific* things, you want to
*permit* only a limited set and block everything else. In the
simplest case that means you want something like this:

qr{ \A [ \t]* https? :// }ix

That will allow simply-written HTTP links and nothing else.

This is possibly also OK, though I haven’t done enough research:

qr{ \A [ \t]* (:? https? :// | / ) }ix

With this, simply-written site-local absolute links are OK in
addition to HTTP links.

Aristotle Pagaltzis // <>

More information about the Markdown-Discuss mailing list