-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add noMarkup
option to escape user HTML
#224
Conversation
Resolves #106. This change introduces a new option - `noMarkup`. You could set it the `setNoMarkup()` method similar to the `setBreaksEnabled()` one. Example usage: ``` php <?php $parsedown = new Parsedown(); $parsedown->setNoMarkup(true); $parsedown->text('<div><strong>*Some text*</strong></div>'); // Outputs: // <p><div><strong><em>Some text</em><s;/strong></div></p> ```
Shouldn't it escape '>' like it does with '<'? |
@xPaw No need. http://stackoverflow.com/questions/9010678/html-should-i-encode-greater-than-or-not-gt I think you'd need to escape It should also be escaped in attributes, but this is not relevant to this change. I think Parsedown does not escape it for performance reasons and because there is no reason to do it. |
HTML spec suggests escaping it. See http://www.w3.org/html/wg/drafts/html/master/syntax.html#serializing-html-fragments This includes & and ". |
@xPaw I believe this text in the spec is targeted towards user agents and other software parsing HTML or working with the DOM. Even if Parsedown should escape |
BTW @javiereguiluz has raised the question about releasing in #106 (comment) @erusev I'd like to add that if you want to be very strict about Semantic Versioning this should be released as a new minor version instead of a patch version, because it changes the interface and the major version is bigger than 0. It doesn't matter that it is backwards compatible.
|
Add `noMarkup` option to escape user HTML
👍 |
@erusev I've just updated the wiki with the example usage. |
@hkdobrev I'm contemplating changing the name of the method to make it more consistent with the name of the other setter. Probably to |
@erusev I was considering the following names: I went for
|
The name needs to be an adjective, as it represents a boolean, and the attribute in question doesn't remove markup. It escapes it. I appreciate the PR and I hope you wouldn't mind me making this change. |
Does |
@markseu It does. You can test at http://parsedown.org/demo?set[MarkupEscaped]=1. |
@markseu it does and you must be aware of this if you use the HTML generated by Parsedown afterwards. For instance, I use Parsedown to convert Markdown into HTML and then I use GeSHi to highlight the code listings. This is my workflow: // use Parsedown to get HTML from Markdown
$parser = new \ParsedownExtra();
$parser->setMarkupEscaped(true);
$html = $parser->text($content);
// highlight code with GeSHi
$html = preg_replace_callback(
'/^<pre><code( class="language\-(?<syntax>.*)")?>(?<source>.*)<\/code><\/pre>/Ums',
'highlightCode',
$html
); The problem is that I need an ugly hack on public function highlightCode($matches)
{
$source = trim($matches['source']);
// this is the ugly hack to avoid double escaping
$source = str_replace(
array('<', '>', '&'),
array('<', '>', '&'),
$source
);
// highlight source code with GeSHi ...
} |
Resolves #106. Addresses #161.
This change introduces a new option -
noMarkup
. You could set it in thesetNoMarkup()
method similar to thesetBreaksEnabled()
one.Example usage: