|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
djn Smarty Rookie
Joined: 15 Nov 2004 Posts: 13 Location: Trst
|
Posted: Wed Oct 01, 2008 5:59 pm Post subject: Using markdown plugin with escape |
|
|
Hello all.
I've used for some time the PHP Markdown syntax (http://michelf.com/projects/php-markdown/) to allow some formatting in stored data while filtering everything user-generated with strip_tags().
Then I started to follow another best security practice: escaping rendered output with escape:'html'. All was well until I used said Markdown syntax to insert some link into the content - the escaping was breaking the link.
The standard form of a link in Markown being [link text](http://example.com/ "Title") what happens is that escape convert the Title quotes into entities and the following markdown plugin misses the title part and attaches it to the URL, space and all (the link target becomes "http://example.com ''Title''" - not something a browser can make sense of).
The solution is to edit modifier.escape.php (at line 26 in current version) putting ENT_NOQUOTES instead of ENT_QUOTES; the modifier will thus convert ampersands and tag brackets to entities leaving quotes as they are. This still prevents unexpected html tags from being interpreted (the very purpose of escaping); meanwhile no major browser seems to have issues with unencoded quotes (tested with IE 6 and 7, Firefox 3, Opera 9.5, Safari 3, Chrome - all on Windows XP).
Hope this helps somebody with the same issue. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|