php-markdown icon indicating copy to clipboard operation
php-markdown copied to clipboard
verified publisher icon michelf

Automatic links not working on encoded strings

Open ArthaTi opened this issue 8 years ago • 7 comments

On my site, user input is encoded (htmlspecialchars) before it gets parsed. However, this means that the automatic links <...> do not work.

Please fix, thanks.

ArthaTi avatar Sep 21 '17 17:09 ArthaTi

That's not something that can be fixed in the Markdown parser.

You'll need to reverse what htmlspecialchar is doing before passing the content to the parser. You could, for instance, use htmlspecialchars_decode. Or you could try to not using htmlspecialchar in the first place.

michelf avatar Sep 21 '17 17:09 michelf

@michelf

But, after markdown processes the text I somehow must escape those characters...

ArthaTi avatar Sep 22 '17 14:09 ArthaTi

Then you need a post-filter that whitelists the allowed HTML tags and attributes and removes anything unsafe. You'll probably want to check URLs in links too so they can't include JavaScript code. Markdown is not a content sanitizer.

michelf avatar Sep 22 '17 14:09 michelf

@michelf I understand and I already had some troubles with it.

But, even if Markdown is made to accept not html-encoded input, blockquotes seem to work...? Why isn't the same possible with this function?

ArthaTi avatar Sep 22 '17 14:09 ArthaTi

Blockquotes use > which is probably left alone htmlspecialchar. Automatic links start with < which needs to be encoded in HTML.

michelf avatar Sep 22 '17 14:09 michelf

@michelf idk then, PHP docs say that > actually gets escaped

ArthaTi avatar Sep 22 '17 15:09 ArthaTi

If that was the case, you wouldn't get a blockquote. You can try it on the dingus, this won't give you a blockquote:

&gt; this
&gt; and that

michelf avatar Sep 22 '17 15:09 michelf