使用定制的 WMD 编辑器将 markdown 转换为 HTML
对于我的应用程序,我稍微自定义了 WMD 的行为方式,因此当用户输入空行时,这些空行会在 HTML 输出中反映为
's
发送到服务器并存储为 markdown 而不是 HTML。对我来说,明显的优势是保持与用户最初输入的格式完全相同。但是如何将其转换回 HTML 以显示给客户端呢? 在客户端转换似乎很麻烦,即使有可能,如果禁用 JS 会发生什么?如果我想在服务器上执行此操作,那么 HTML 标记的标准服务器端实现可能会占用大量资源。您认为这会是一个问题吗?即使情况并非如此,正如我提到的,我的 WMD 实现是自定义的,而且这些服务器端解决方案可能无法正确转换为 Markdown,而且总是存在转换错误的风险。
以转换后的 HTML 形式发送到服务器。与上面相同.. 客户端的转换会很困难,服务器端的转换也很困难,可能会出错。
发送原始 Markdown 和转换后的 HTML 并存储两者。在客户端或服务器端,不存在与将 Markdown 转换为 HTML 相关的性能问题。用户将始终拥有他们最初输入的相同 Markdown 和他们最初在预览中看到的相同 HTML(不过可能在 php 中进行了清理)。不过,它必须占用两倍的存储空间,这是我最担心的。
我倾向于第三种解决方案,因为它看起来最简单,但担心该解决方案需要双倍的存储空间。请记住,我的 WMD 实现略有修改,而且我将使用 PHP/MySql 服务器端实现。
那么除了上面列出的 3 个选项之外,还有其他可能的解决方案来解决我的问题吗?我是否错过了任何重要的事情,可以使上述选项之一比其他选项更好?我列出的每个解决方案还有哪些其他优点/缺点?另外它是如何在SO上实现的?我在某处读到他们使用选项 3,所以如果它对 SO 足够好对我来说也足够好:)但不确定它是否正确,那么它是如何完成的呢?
另外请原谅我,但至少有一次我不得不说 StackOverflow 是网络上最好的资源,我真的很感谢这里所有试图帮助他人的人!这里的网站和用户简直太棒了!
For my application I customized slightly the way WMD behaves so when user enters empty lines, these are reflected in HTML output as <br />'s. Now I came to a point when I should store it somewhere at backend and so after going thru SO posts for a while I'm not sure what is the best way to do it. I have few options and if you could point out which their pros/cons that would be much appreciated.
send to server and store as markdown rather than HTML. To me obvious advantage would be keeping exactly same formatting as user originally entered. But then how can I convert it back to HTML for display to a client?
It seems very troublesome to convert it on client side as even if it would be possible what would happen if JS would be disabled? If I wanted to do it on the server, then standard server side implementations of markup to HTML might be resource expensive. Would that be an issue in your opinion? Even if it wouldn't be the case then as I mentioned my WMD implementation is customised and those server side solutions wouldn't probably do the right conversion to markdown anyway and there always would be a risk that something would convert wrong.Send to server as converted HTML. Same as above.. conversion on client side would be difficult, server side same with possibility of getting it wrong.
send original markdown and converted HTML and store both. No performance issues related to converting markdown to HTML on client side, nor on server side. Users would have always same markdown they originally entered and same HTML they originally saw in preview (possibly sanitized in php though). It would have to take twice that much storage space though and that is my biggest worry.
I tend to lean towards 3rd solution as it seems simplest, but there is a worry of doubled storage space needed for this solution. Please bear in mind that my implementation of WMD is slightly modified and also I'm going with PHP/MySql server side implementation.
So apart from 3 options I listed above, are there any other possible solutions to my problem? Did I miss anything important that would make one of the options above better then the rest? And what other pros/cons would apply to each solution I listed? Also how is it implemented on SO? I read somwhere that they using option 3, and so if its good enough for SO would be good enough for me :) but not sure if its true anyway, so how is it done?
Also please forgive me, but at least for once I got to say that StackOverflow IS THE BEST DAMN RESOURCE ON THE WEB and I truly appreciate all the people trying to help others here! The site and users here are simply amazing!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
从客户端接受 Markdown 而不是 HTML 的一个原因是,从客户端接受任意 HTML 存在安全风险:如果您接受 HTML,则客户端可能会向您发送带有恶意代码的 HTML,您可以将这些恶意代码发送到服务器。存储然后反馈(可能反馈给另一个客户端:因此您最终会向另一个客户端发送恶意代码)。因此,最好只接受来自客户端的 markdown(而不是 HTML)。
我不知道“标准服务器端实现”是什么,但我猜想这(生成 HTML)是服务器应该能够执行的处理类型。
One reason for accepting markdown instead of HTML from the client is that accepting arbitrary HTML from the client is a security risk: if you accept HTML then a client might send you HTML with malicious code, which you'd store and then feed back (perhaps to another client: so you end up sending malicious code to another client). For that reason, it might be better to accept only markdown (not HTML) from the client.
I don't know what "the standard server side implementations" are but I'd guess that this (generating HTML) is the kind of processing that a server ought to be able to do.
第四个。选项是存储 Markdown,并在请求时使用服务器端库将 Markdown 渲染为 HTML,然后使用缓存来防止性能下降。
ChrisW 对安全问题的评论——这是一个非常有效的观点,值得您关注清理该输入。但是,也不要错误地认为降价是安全的。根据我对 WMD 及其 showdown.js 处理器的了解,您仍然可以向其提供 HTML,它会将其保留在那里。因此,使用 WMD 编辑器的人仍然有可能以
实际上谈论这个让我觉得我需要检查我当前的实现。
The 4th. option is to store the markdown, and render the markdown to HTML using a server side library when it is requested, and then use caching to prevent a performance hit.
A comment on the security concern from ChrisW -- This a really valid point to concern yourself with sanitizing that input. However, don't make the mistake of assuming the markdown is safe either. From what I've seen of WMD and it's showdown.js processor, you can still feed it HTML and it will leave it in there. So it's possible for someone using WMD editor to still ender in
<script>or whatever.Actually talking about this makes me think I need to check my current implementation of this..