Markdown

a_magical_me · July 2006

Markdown

Lussumo Bot · March 2007

Uploaded version 1.1.2 of Markdown.

Lussumo Bot · March 2007

Uploaded version 1.1.2 of Markdown.

dkodr · March 2008

This extension doesn't allow the usage of inline HTML, while Markdown should. HTML tags are being parsed as plain text. Is there a way to fix this?

RogerH · March 2008

This is excellent but is it possible to restrict which tags can be used? Ideally I'd like to block headers and rules.

WallPhone · March 2008

Yes, HTML is stripped by the extension, for security purposes. I believe the ideal setup would be to chain this formatter with the Kses formatter so that the post passes through them both.

dkodr · March 2008

I'd really appreciate it if you could tell me how to allow HTML in this extension.

WallPhone · March 2008

You'd have to replace line 18 ($String = $this->ProtectString($String);) with some other function that strips out potentially harmful HTML.

I'd recommend copying kses.php inside the markdown folder, then add include('kses.php'); just after the dictionary definition, and change line 18 to be $string = kses($String, array());

This would also give you some kind of tag policy, where you could put a list of HTML tags and attributes you want to allow in the array if Kses blocks them.

edam · March 2009

Great extension! Just two tiny points:

I notice that the Markdown StringFormatter doesn't call StringFormatter's ParseChildren() to give any child formatters a chance to work their magic.
Since you are supposed to be able to enter HTML tags in Markdown, why not parse the document through the HTML StringFormatter, if that plugin is present?

The following patch will achieve both these aims:

--- default.php.orig    2009-03-13 15:57:59.000000000 +0000
+++ default.php 2009-03-19 12:52:39.000000000 +0000
@@ -17,13 +17,21 @@
 class MarkdownFormatter extends StringFormatter {
        function Parse($String, $Object, $FormatPurpose) {
                if ($FormatPurpose == FORMAT_STRING_FOR_DISPLAY) {
-                       $String = $this->ProtectString($String);
-                       return Markdown($String);
+                       if( isset( $Object->Context->StringManipulator->Formatters[ "Html" ] ) ) {
+                               $String = Markdown( $String );
+                               $String = $Object->Context->StringManipulator->Formatters[ "Html" ]->Execute( $String, true );
+                       }
+                       else {
+                               $String = $this->EscapeHtml( $String );
+                               $String = Markdown( $String );
+                       }
+                       $String = $this->ParseChildren($String, $Object, $FormatPurpose);
+                       return $String;
                } else {
                        return $String;
                }
        }
-       function ProtectString ($String) {
+       function EscapeHtml ($String) {
                //$String = str_replace("<", "<", $String);
                // $String = str_replace(">", ">", $String);
                $String = explode("\n", $String);

There is a problem with this though. The HTML formatter, by default, is set to convert newlines to <br/> tags. This makes the output of the HTML formatter look screwed up (spread out over far too many lines). There are two ways to fix this.

First, you could turn off the HTML formatter's HTML_CONVERT_NEWLINES option at the top of HtmlFomatter/default.php plugin. I don't like this solution though, cause I want the HTML formatter to convert newlines. The second solution is to apply this patch to the HTML formatter, so that we can specify that the HTML formatter should only parse and not do formatting:

--- default.php.orig    2009-03-19 13:02:20.000000000 +0000
+++ default.php 2009-03-19 13:04:46.000000000 +0000
@@ -111,7 +111,7 @@
                $this->TagArray = &$GLOBALS['Html_TagArray'];
        }

-       function Execute($String)
+       function Execute($String, $ParseOnly)
        {
                $this->TagArray = array('normal' => array(), 'extraclosing' => array());
                $String = str_replace(chr(0), ' ', $String);
@@ -172,7 +172,7 @@
                                $sReturn
                        );

-               if(HTML_CONVERT_NEWLINES)
+               if(HTML_CONVERT_NEWLINES && !$ParseOnly)
                        $sReturn = str_replace(
                                array("\r\n", "\r", "\n"),
                                '<br />',
@@ -389,7 +389,7 @@

        function Parse($String, $Object, $FormatPurpose)
        {
-               if($FormatPurpose == FORMAT_STRING_FOR_DISPLAY) $sReturn = $this->Execute($String);
+               if($FormatPurpose == FORMAT_STRING_FOR_DISPLAY) $sReturn = $this->Execute($String, false);
                else $sReturn = $String;

                return $this->ParseChildren($sReturn, $Object, $FormatPurpose);

edam · March 2009

@WallPhone: kses.php is unsuitable for these purposes for two reasons:

It is no longer maintained, and
it is only a simple filter, it will not remove malicious close tags (for example)

astacey · March 2010

Warning: it is simple to insert malicious code with this plugin as is. The inbuilt sanitiser only sanitises tags that aren't in code blocks. Unfortunately, it doesn't always get it right as to what is and isn't a code block, thus letting through html tags which markdown doesn't then escape (which it would if they were in a code block). So some additional sanitiser is required.

Markdown

Comments