Add noMarkup option to escape user HTML
#224
Conversation
Resolves #106. This change introduces a new option - `noMarkup`. You could set it the `setNoMarkup()` method similar to the `setBreaksEnabled()` one. Example usage: ``` php <?php $parsedown = new Parsedown(); $parsedown->setNoMarkup(true); $parsedown->text('<div><strong>*Some text*</strong></div>'); // Outputs: // <p><div><strong><em>Some text</em><s;/strong></div></p> ```
|
Shouldn't it escape '>' like it does with '<'? |
|
@xPaw No need. http://stackoverflow.com/questions/9010678/html-should-i-encode-greater-than-or-not-gt I think you'd need to escape It should also be escaped in attributes, but this is not relevant to this change. I think Parsedown does not escape it for performance reasons and because there is no reason to do it. |
|
HTML spec suggests escaping it. See http://www.w3.org/html/wg/drafts/html/master/syntax.html#serializing-html-fragments This includes & and ". |
|
@xPaw I believe this text in the spec is targeted towards user agents and other software parsing HTML or working with the DOM. Even if Parsedown should escape |
|
BTW @javiereguiluz has raised the question about releasing in #106 (comment) @erusev I'd like to add that if you want to be very strict about Semantic Versioning this should be released as a new minor version instead of a patch version, because it changes the interface and the major version is bigger than 0. It doesn't matter that it is backwards compatible.
|
Add `noMarkup` option to escape user HTML
👍 |
|
@erusev I've just updated the wiki with the example usage. |
|
@hkdobrev I'm contemplating changing the name of the method to make it more consistent with the name of the other setter. Probably to |
|
@erusev I was considering the following names: I went for
|
|
The name needs to be an adjective, as it represents a boolean, and the attribute in question doesn't remove markup. It escapes it. I appreciate the PR and I hope you wouldn't mind me making this change. |
|
Does |
|
@markseu It does. You can test at http://parsedown.org/demo?set[MarkupEscaped]=1. |
|
@markseu it does and you must be aware of this if you use the HTML generated by Parsedown afterwards. For instance, I use Parsedown to convert Markdown into HTML and then I use GeSHi to highlight the code listings. This is my workflow: // use Parsedown to get HTML from Markdown
$parser = new \ParsedownExtra();
$parser->setMarkupEscaped(true);
$html = $parser->text($content);
// highlight code with GeSHi
$html = preg_replace_callback(
'/^<pre><code( class="language\-(?<syntax>.*)")?>(?<source>.*)<\/code><\/pre>/Ums',
'highlightCode',
$html
);The problem is that I need an ugly hack on public function highlightCode($matches)
{
$source = trim($matches['source']);
// this is the ugly hack to avoid double escaping
$source = str_replace(
array('<', '>', '&'),
array('<', '>', '&'),
$source
);
// highlight source code with GeSHi ...
} |
Resolves #106. Addresses #161.
This change introduces a new option -
noMarkup. You could set it in thesetNoMarkup()method similar to thesetBreaksEnabled()one.Example usage: