为什么 MarkdownSharp 不编码我的 HTML?
在我看来,Markdown 的更大目标之一是防止用户直接输入可能格式错误的 HTML。
嗯,这在 MarkdownSharp 中对我来说并不完全有效。
当“abc”后面有额外的换行符时,此示例可以正常工作... 
但是当换行符不存在时,我认为它仍然应该是 HtmlEncoded,但事实并非如此这里发生了... 
在幕后,渲染的标记来自 iframe。这就是它背后的代码......
<%
var md = new MarkdownSharp.Markdown();
%>
<%= md.Transform(Request.Form[0]) %>
我肯定错过了一些东西。哦,我正在使用 v1.13(撰写本文时的最新版本)。
编辑(这是对 StackOverflow 实现的测试)
abc
this shouldn't be redIn my mind, one of the bigger goals of Markdown is to prevent the user from typing potentially malformed HTML directly.
Well that isn't exactly working for me in MarkdownSharp.
This example works properly when you have the extra line break immediately after "abc"...
But when that line break isn't there, I think it should still be HtmlEncoded, but that isn't happening here...
Behind the scenes, the rendered markup is coming from an iframe. And this is the code behind it...
<%
var md = new MarkdownSharp.Markdown();
%>
<%= md.Transform(Request.Form[0]) %>
Surely I must be missing something. Oh, and I am using v1.13 (the latest version as of this writing).
EDIT (this is a test for StackOverflow's implementation)
abc
this shouldn't be red
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
对于那些不想使用 Steve Wortham 的定制解决方案的人,我已向 MarkdownSharp 人员提交了一个问题和建议的修复方案:http://code.google.com/p/markdownsharp/issues/detail?id=43
如果您下载我附加的 Markdown.cs 文件,您会发现一个新选项可以设置。它将阻止 MarkdownSharp 重新编码代码块中的文本。
只是不要忘记在将输入传递到 Markdown 之前而不是之后对其进行 HTML 编码。
另一种解决方案是像 Stack Overflow 一样将 HTML 标签列入白名单。您可以在将内容传递到 Markdown 后执行此操作。
有关更多信息,请参阅:http://www.CodeTunnel.com /blog/post/24/mardownsharp-and-encoded-html
For those not wanting to use Steve Wortham's customized solution, I have submitted an issue and a proposed fix to the MarkdownSharp guys: http://code.google.com/p/markdownsharp/issues/detail?id=43
If you download my attached Markdown.cs file you will find a new option that you can set. It will stop MarkdownSharp from re-encoding text within the code blocks.
Just don't forget to HTML encode your input BEFORE you pass it into markdown, NOT after.
Another solution is to white-list HTML tags like Stack Overflow does. You would do this AFTER you pass your content to markdown.
See this for more information: http://www.CodeTunnel.com/blog/post/24/mardownsharp-and-encoded-html
由于很明显 StackOverflow 实现包含相当多的自定义项,测试和弄清楚这些自定义项可能非常耗时,因此我决定转向另一个方向。
我创建了自己的简化标记语言,它是 Markdown 的子集。开源项目位于 http://ultralight.codeplex.com/,您可以看到一个工作示例http://www.bucketsoft.com/ultralight/
该项目是一个完整的 ASP.NET MVC使用 Javascript 编辑器解决方案。与 MarkdownSharp 不同的是,安全的 HTML 是有保证的。 Javascript 解析器在客户端和服务器端使用,以保证一致的标记(特别感谢 Jurassic Javascript 编译器)。只需为该解析器维护一个代码库是一件美妙的事情。
尽管该项目仍处于测试阶段,但我已经在自己的网站上使用它,并且到目前为止似乎运行良好。
Since it became clear that the StackOverflow implementation contains quite a few customizations that could be time consuming to test and figure out, I decided to go another direction.
I created my own simplified markup language that's a subset of Markdown. The open-source project is at http://ultralight.codeplex.com/ and you can see a working example at http://www.bucketsoft.com/ultralight/
The project is a complete ASP.NET MVC solution with a Javascript editor. And unlike MarkdownSharp, safe HTML is guaranteed. The Javascript parser is used both client-side and server-side to guarantee consistent markup (special thanks to the Jurassic Javascript compiler). It's a beautiful thing to only have to maintain one codebase for that parser.
Although the project is still in beta, I'm using it on my own site already and it seems to be working well so far.
也许是我没理解?如果您在 Markdown 中开始一个新的代码块,无论其类型如何,您确实需要一个双换行符和四个空格缩进——单个换行符在我拥有的任何渲染器中都不起作用到手。
让步:
abc -- 这里有一个代码块:
从你所说的来看,MarkdownSharp 似乎对这个规则做得很好,所以只有一个换行符(但缩进):
我们得到了一团糟,而不是代码块:
abc -- 这里来了一个代码块:
这应该是
我认为 StackOverflow 正在剥离
标签的代码,因为他们认为注释不应该有分区之类的东西。 (?)(一般来说,他们必须做很多其他处理,不是吗,例如获得语法突出显示等等?)编辑:我认为人们对 Markdown 实现的期望是错误的。例如,正如我在下面所说的,不存在“无效降价”之类的东西。它不是一种编程语言或类似语言。我已经验证了我可以从命令行获得的所有三个 Markdown 实现都会无差别地“转换”随机 .js 和 .c 文件,或者插入到其他合理的 Markdown 中的文件(以及插入的 zip 文件和其他废话)到有效的 html 中浏览器根本不介意显示——尽管它确实是鸡爪。如果您想排除某些内容,例如在 wiki 程序中,您当然可以进一步做一些事情,就像大多数使用 markdown 的 wiki 程序所做的那样。
Maybe I'm not understanding? If you are starting a new code block in Markdown, in all its varieties, you do need a double linebreak and four-space indentation -- a single newline won't do in any of the renderers I have to hand.
yielding:
abc -- Here comes a code block:
From what you are saying it seems that MarkdownSharp does fine with this rule, so with just one newline (but indentation):
we get a mess not a code block:
abc -- Here comes a code block:
This should be code
I assume StackOverflow is stripping the
<div>tags, because they think comments shouldn't have divisions and suchlike things. (?) (In general they have to do a lot of other processing don't they, e.g. to get syntax highlighting and so on?)EDIT: I think people are expecting the wrong thing of a Markdown implementation. For example, as I say below, there is no such thing as 'invalid markdown'. It isn't a programming language or anything like one. I have verified that all three markdown implementations I have available from the command line indifferently 'convert' random .js and .c files, or those inserted into otherwise sensible markdown -- and also interpolated zip files and other nonsense -- into valid html that browsers don't mind displaying at all -- chicken scratches though it is. If you want to exclude something, e.g. in a wiki program, you do something further, of course, as most markdown-employing wiki programs do.