I want my users to be able to write an article in Markdown, have it stored in the MySQL database (with the option to edit it 开发者_运维问答in the future), and displayed for other users.
In practice, this is my understanding of how it works:
INPUT
- user input via HTML form using Markdown syntax
$queryInput = mysql_real_escape_string($userInput);- insert sanitized string into database
OUTPUT
- query field from database
$output = Markdown($queryResult);- display
$output
Is that it?
Does PHP Markdown preclude the need for htmlspecialchars or Pure HTML ?
Thanks!
I evaluated the use of markdown in PHP some weeks ago (and decided not to use it, by the way). My thoughts:
It might not be a good idea to run the markdown parser each time the output is rendered - parsing the comment is quite expensive and the usual blog comment (as an example) is far more often read than written. You should run the markdown parser BEFORE saving the user input into the database!
Now the really tough problem: Markdown does not do any security checks by itself. All xss attacks are happily passed through. If you now think "no problem, I'll just strip_tags right after getting the user input", think again: it is quite possible that markdown creates the tags containing the XSS while processing the user input. So, you have to check the HTML code created by markdown for security problems - a very hard task which is very error prone. (That was the reason for not using it in my case - the benefit had no good ratio to the potential costs)
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论