Comments (10)
FroMage
commented on May 27, 2024
Sorry just updated the description, I initially sent the wrong markdown sample.
from markdownpapers.
lruiz
commented on May 27, 2024
I will take a look, as soon as I can.
Thanks for reporting it
from markdownpapers.
lruiz
commented on May 27, 2024
Well it seems the expected behavior, there is not html processing in codeblock.
You can check all other implementations here http://babelmark.bobtfish.net/
from markdownpapers.
lruiz
commented on May 27, 2024
Any comments?
from markdownpapers.
FroMage
commented on May 27, 2024
Sorry I was away for a while. This may be the behaviour of others, but it hurts security, as it makes it harder to filter the markdown text upstream to disallow HTML. What we do now is we escape any HTML we find in the markdown source, then we run the markdown processor and it appears that code blocks are broken this way.
Now if markdown escapes HTML in codeblocks it makes the caller work a lot harder as we essentially have to first parse the markdown to only HTML-escape non-codeblocks. That's pretty nuts, no?
from markdownpapers.
lruiz
commented on May 27, 2024
I think a better approach would be to extend HtmlEmitter, if you don't want to allow scripting it could be something like this...
class MySecureHtmlEmitter extends org.tautua.markdownpapers.HtmlEmitter {
public SecureHtmlEmitter(Appendable buffer) {
super(buffer);
}
public boolean isTagAllowed(Tag t) {
return !t.getName().equals("script");
}
public boolean isTagAttributeAllowed(TagAttribute a) {
return !a.getName().startsWith("on");
}
@Override
public void visit(Tag node) {
if(isTagAllowed(node)){
append("<");
append(node.getName());
for (TagAttribute a : node.getAttributes()) {
if(isTagAttributeAllowed(a)) { //event attributes
append(SPACE);
append(a.getName());
append("=\"");
append(a.getValue());
append("\"");
}
}
if(node.jjtGetNumChildren() == 0) {
append("/>");
} else {
append(">");
node.childrenAccept(this);
append("</");
append(node.getName());
append(">");
}
}
}
}
If you want to escape html then "<" -> "<"
Then use your implementation.
Reader r = ...
Writer w = ...
Parser p = new Parser(r);
MySecureHtmlEmitter e = new MySecureHtmlEmitter(w);
p.parse().accept(e);
from markdownpapers.
lruiz
commented on May 27, 2024
I hope it helps.
from markdownpapers.
FroMage
commented on May 27, 2024
Sorry about the delay again :(
That sounds OK thanks for the tip, but that doesn't let me filter out HTML from the input. I want to forbid HTML altogether and only allow Markdown. Is there a way to do that?
from markdownpapers.
lruiz
commented on May 27, 2024
Sure, It will be something like this
class CustomHtmlEmitter extends org.tautua.markdownpapers.HtmlEmitter {
public CustomHtmlEmitter(Appendable buffer) {
super(buffer);
}
@Override
public void visit(Tag node) {
//do nothing
}
}
from markdownpapers.
FroMage
commented on May 27, 2024
OK thanks a lot, I'll try this.
from markdownpapers.
Related Issues (20)
- In correct ending tag HOT 2
- support markdown plus table
- Code block within a list item HOT 5
- The only way to specify a "title" tag on an image is to use the "id" mechanism HOT 2
- A newline inside a bracket breaks the parser
- Underscores inside links break the parser
- Strikethrough support
- An asterisk with a space causes a syntax error
- Would like to request a new release HOT 4
- Lines that begin with a valid `something` sequence are not transformed HOT 2
- Incorrect parsing of HTML entities representing numerical entities
- Markdown inside span-levelelements does not get parsed
- Two problems with parsing (found in gitblit)
- anchor links don't close HOT 1
- Doesn't recognise code blocks within list items HOT 2
- code block with explicit language
- Emphasis content lost in generated HTML HOT 1
- Image will not parse with the format  HOT 2
- Can`t find org.tautua.markdownpapers.parser.Parser HOT 1
- a **ParseExcept** error in `md.transform(in, out);` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from markdownpapers.