我可能将来某个时候需要实现这一点,但我认为现在引发这个问题的主要是好奇心。
我想到了如何为我即将建立的网站编写一个文本编辑器,并看到了这个网站(和其他网站)的方式,所以我想 - 是不是有点太复杂了?如果从一开始就应该使用标签,为什么不让用户使用 HTML 标签呢?我能想到的唯一原因是 HTML 注入,我对此不太了解,但这听起来是一个很容易解决的问题,不是吗?
谢谢。
I may need to implement this sometime in the future, but I think the trigger for the question now is mainly curiosity.
I thought of how to write a text editor to a web site I'll build soon, and saw this site's (and other's) way, so I thought - isn't it a bit too complicated? If tags should be used from the first place, why not let users use HTML tags? The only reason I can think of is HTML injection which I don't know much about, but it sounds like an easy issue to solve, isn't it?
Thank you.
发布评论
评论(4)
仅仅是因为并非所有用户都了解 HTML。
*粗体文本*
比粗体文本
更容易理解(并以原始形式阅读)。特别是当你进入链接时。我们使用 Markdown、Textile 等的原因是为了提供一个可供更多用户使用的良好替代方案。
当然,您仍然可以向用户提供使用 HTML 的能力(它在 Markdown 规范中),但您必须进行大量检查以确保没有恶意行为 - 例如,阻止
< script>
、、大图像、JavaScript,格式为
< /代码> 等
Simply because not all of your users will know HTML.
*bold text*
is a lot more easy to understand (and read in it's raw form) than<b>bold text</b>
. Especially if you get into links.The reason we use Markdown, Textile and the rest is to provide a nice alternative that's accessible to more users.
Of course you can still provide the ability to use HTML to your users (it's in the Markdown spec) but you'll have to do a lot of checking to make sure there's nothing malicious going on - for example, blocking
<script>
,<iframe>
, large images, javascript in the form<a href="javascript:alert("...");">
etc.不应该在这样的编辑器中使用 HTML 标签有几个原因:
1) 如果您引入自己的精简标签集,对用户来说可能会不太复杂
2) HTML 注入:存在注入危险 HTML 代码的巨大风险。
如果你真的想允许 HTML 代码,你必须非常小心。
There are several reason why you should not use HTML tags in such an editor:
1) It might be less complex for the user if you introduce an own reduced tag set
2) HTML Injection: There is a big risk of dangerous HTML code getting injected.
If you really want to allow HTML code you have to be very careful.
从历史上看,像 BBCode 这样的系统旨在将可用的格式化元素限制为不会破坏布局的内容但现在,有了更成熟、更智能的 HTML 解析器,没有必要仅仅为了禁止某些不安全的 HTML 标签而发明一种新的标记语言。
目前我看到的主要原因是 HTML 对于大多数用户来说是陌生的,而 HTML 替代品旨在提供日常用户所需的格式化指令的简化版本。
Historically, systems like BBCode were designed to limit available formatting elements to things that would not break the layout of the site, but now, with more mature and smarter HTML parsers, it's not necessary to invent a new markup language just to bar certain un-safe HTML tags.
The current main reason I've seen is that HTML is foreign to most users, and the HTML substitutes are aimed at providing a simplified version of the formatting directives an every-day user would need.
HTML 脚本注入并不是一个容易解决的问题。 HTML 是一种相当复杂的非常规语言 - 检测所有可能的漏洞是一个非常困难的问题。很多网站都尝试过,但都失败了。从漏洞预防的角度来看,完全禁止 HTML 或仅允许一小部分标签会更容易。
HTML script injection is most emphatically not an easy problem to solve. HTML is a fairly complicated, non-regular language - detecting all possible vulnerabilities is a really hard problem. Many sites have tried, and failed. It's easier, from a vulnerability-prevention POV, to just prohibit HTML entirely, or allow only a small subset of tags.