johnthethird
Not an issue, a suggestion
I've been thinking about storing a JSON format rather than HTML for a while. HTML is extremely difficult to parse safely and whitelist; there are so many different security issues to consider when redisplaying HTML stored in a database that you might make a mistake.
I think storing JSON and turning it into HTML when is needs to be displayed will prevent a lot of the parsing problems because your grammar in JSON will be simpler and the logic to redisplay stuff easier to make ignore content that shouldn't be there.
Just a though. Feel free to close this.
It sounds like you are suggesting something similar to what Medium uses internally https://medium.com/medium-eng/why-contenteditable-is-terrible-122d8a40e480
The Medium Editor Model
The Medium editor model has two fields: a list of paragraphs, and a list of sections.
A section describes a background for a sublist of paragraphs.
Each paragraph contains
- text, a string of plain text
- markups, a list of formatting text ranges, like “bold from char 1 to 5”
- metadata for images or embeds
- layout, a description of how we should position the paragraph
Yes, it's along these lines but instead of being from a frontend organisation point of view it's from a backend point of view. Storing pure HTML in your database is unsafe and prone to people trying to skirt whatever filtering you provide in an almost infinite number of different ways.
If however you store something simpler (maybe the underlying structure) then convert it to HTML or components as required everything ends up much more secure.