发表新帖
发表新帖

“Safe” markdown processor for PHP?

后端 未结
关注
3 384
遥遥无期
遥遥无期 2020-12-12 14:13

Is there a PHP implementation of markdown suitable for using in public comments?

Basically it should only allow a subset of the markdown syntax (bold, italic, links,

相关标签:
3条回答
  • 孤街浪徒
    2020-12-12 14:53

    How about running htmlspecialchars on the user entered input, before processing it through markdown? It should escape anything dangerous, but leave everything that markdown understands.

    I'm trying to think of a case where this wouldn't work but can't think of anything off hand.

    0 讨论(0)
  • 耶瑟儿~
    2020-12-12 15:03

    JavaScript Markdown Editor Hypothesis:

    • Use a JavaScript-driven Markdown Editor, e.g., based on showdown
    • Remove all icons and visual clues from the Toolbar for unwanted items
    • Set up a JavaScript filter to clean-up unwanted markup on submission
    • Test and harden all JavaScript changes and filters locally on your computer
    • Mirror those filters in the PHP submission script, to catch same on the server-side.
    • Remove all references to unwanted items from Help/Tutorials

    I've created a Markdown editor in JavaScript, but it has enhanced features. That took a big chunk of time and SVN revisions. But I don't think it would be that tough to alter a Markdown editor to limit the HTML allowed.

    0 讨论(0)
  • 情歌与酒
    2020-12-12 15:15

    PHP Markdown has a sanitizer option, but it doesn't appear to be advertised anywhere. Take a look at the top of the Markdown_Parser class in markdown.php (starts on line 191 in version 1.0.1m). We're interested in lines 209-211:

    # Change to `true` to disallow markup or entities.
var $no_markup = false;
var $no_entities = false;

    If you change those to true, markup and entities, respectively, should be escaped rather than inserted verbatim. There doesn't appear to be any built-in way to change those (e.g., via the constructor), but you can always add one:

    function do_markdown($text, $safe=false) {
    $parser = new Markdown_Parser;
    if ($safe) {
        $parser->no_markup = true;
        $parser->no_entities = true;
    }
    return $parser->transform($text);
}

    Note that the above function creates a new parser on every run rather than caching it like the provided Markdown function (lines 43-56) does, so it might be a bit on the slow side.

    0 讨论(0)
 看不清?
提交回复
热议问题