Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.
Using markdown plugin with escape

 
Post new topic   Reply to topic    Smarty Forum Index -> Tips and Tricks
View previous topic :: View next topic  
Author Message
djn
Smarty Rookie


Joined: 15 Nov 2004
Posts: 13
Location: Trst

PostPosted: Wed Oct 01, 2008 5:59 pm    Post subject: Using markdown plugin with escape Reply with quote

Hello all.

I've used for some time the PHP Markdown syntax (http​:​/​/​michelf.​com/projects/php-markdown/) to allow some formatting in stored data while filtering everything user-generated with strip_tags().

Then I started to follow another best security practice: escaping rendered output with escape:'html'. All was well until I used said Markdown syntax to insert some link into the content - the escaping was breaking the link.

The standard form of a link in Markown being [link text](http​:​/​/​example.​com/ "Title") what happens is that escape convert the Title quotes into entities and the following markdown plugin misses the title part and attaches it to the URL, space and all (the link target becomes "http​:​/​/​example.​com ''Title''" - not something a browser can make sense of).

The solution is to edit modifier.escape.php (at line 26 in current version) putting ENT_NOQUOTES instead of ENT_QUOTES; the modifier will thus convert ampersands and tag brackets to entities leaving quotes as they are. This still prevents unexpected html tags from being interpreted (the very purpose of escaping); meanwhile no major browser seems to have issues with unencoded quotes (tested with IE 6 and 7, Firefox 3, Opera 9.5, Safari 3, Chrome - all on Windows XP).

Hope this helps somebody with the same issue.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Tips and Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP