Parsedown parsing Markdown How to handle HTML escaping when filtering XSS

Source: Internet
Author: User
When using Parsedown to parse the Markdown, some problems of XSS filtering were encountered.

It is found that Parsedown will 代码 escape HTML code in the area, 代码 but not outside the area, as shown in the following code

PHP
  
   text($test);/**  * 得到结果是:  
<script>alert('test')</script>
* * */

So, this sentence has been successfully executed.

If that's the case, I'm going to escape it myself.

PHP
  
   text($test);/**  * 得到结果是:  
&lt;script&gt;alert(&#039;test&#039;)&lt;/script&gt;

<script>alert('test')</script>

*/

Although XSS is filtered out, the 代码 content of the area is escaped two times .

Then I found that the SF Markdown seems to be on the back end of the parse good, such as this page, its part of the source code is as follows:

html

我现在的代码是这样的

<title>Untitled Document</title>

<script>    function test(){        <?php            $conn = mysql_connect("localhost", "username", "123123");            mysql_select_db("username", $conn);            mysql_query("INSERT INTO ChargerTogether (Chat) VALUES ('test')");            $result= mysql_query("SELECT *FROM ChargerTogether");            echo "<p> {$result} </p>>";        ?>    }</script>

<body>
<input type="button" onClick="javascript:test();">

</body>

但这样是错误的
我该怎样做呢

The escape here is doing very well.

I think of the solution is: first escape, and then use Parsedown to parse, and then the regular match the parsed code, the reverse meaning (once).

Don't know if there are any better escape functions , or if there are other Markdown parsing classes that can filter XSS

P.S. I found a markdown-js on GitHub. With this thing, you can htmlspecialchars(() output the escaped string directly into one textaera , and it will parse correctly. Although I can hide the text box, but if you need to output a lot of Markdown (the post has a lot of replies), it is not a good solution ah!

Reply content:

When using Parsedown to parse the Markdown, some problems of XSS filtering were encountered.

It is found that Parsedown will 代码 escape HTML code in the area, 代码 but not outside the area, as shown in the following code

PHP
  
   text($test);/**  * 得到结果是:  
<script>alert('test')</script>
* * */

So, this sentence has been successfully executed.

If that's the case, I'm going to escape it myself.

PHP
  
   text($test);/**  * 得到结果是:  
&lt;script&gt;alert(&#039;test&#039;)&lt;/script&gt;

<script>alert('test')</script>

*/

Although XSS is filtered out, the 代码 content of the area is escaped two times .

Then I found that the SF Markdown seems to be on the back end of the parse good, such as this page, its part of the source code is as follows:

html

我现在的代码是这样的

<title>Untitled Document</title>

<script>    function test(){        <?php            $conn = mysql_connect("localhost", "username", "123123");            mysql_select_db("username", $conn);            mysql_query("INSERT INTO ChargerTogether (Chat) VALUES ('test')");            $result= mysql_query("SELECT *FROM ChargerTogether");            echo "<p> {$result} </p>>";        ?>    }</script>

<body>
<input type="button" onClick="javascript:test();">

</body>

但这样是错误的
我该怎样做呢

The escape here is doing very well.

I think of the solution is: first escape, and then use Parsedown to parse, and then the regular match the parsed code, the reverse meaning (once).

Don't know if there are any better escape functions , or if there are other Markdown parsing classes that can filter XSS

P.S. I found a markdown-js on GitHub. With this thing, you can htmlspecialchars(() output the escaped string directly into one textaera , and it will parse correctly. Although I can hide the text box, but if you need to output a lot of Markdown (the post has a lot of replies), it is not a good solution ah!

Just put the Parsedown in the source code (a total of three) escaped statements (as shown below) to comment out,

PHP$text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');

This sentence appears in the following three methods:
protected function blockCodeComplete($Block), protected function blockFencedCodeComplete($Block) ,protected function inlineCode($Excerpt)

And then modify it function text($text) :

function text($text)    {        #添加下面这行        $text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');        # Code...    }

This is a solution, but it may not be the most perfect solution, but also ask you to continue to provide a better solution ~

I also encountered this problem, and later found that as long as the code block outside the written can, so it will be converted into text.

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.