“安全"用于PHP的markdown处理器? [英] "Safe" markdown processor for PHP?

问题描述

是否存在适合于在公共评论中使用的markdown的PHP实现?

Is there a PHP implementation of markdown suitable for using in public comments?

基本上，它只应允许markdown语法的一个子集(粗体，斜体，链接，块引用，代码块和列表)，并去除所有内联HTML(或可能对其进行转义?)

Basically it should only allow a subset of the markdown syntax (bold, italic, links, block-quotes, code-blocks and lists), and strip out all inline HTML (or possibly escape it?)

我猜一个选择是使用普通的markdown解析器，并通过HTML过滤器运行输出，但是有没有更好的方法呢??

I guess one option is to use the normal markdown parser, and run the output through an HTML sanitiser, but is there a better way of doing this..?

我们在网站的其余部分使用PHP markdown Extra，因此我们已经不得不使用辅助解析器(非"Extra"版本，因为不需要脚注支持).比生成<b>bold</b>文本并尝试剥离我们不想要的位，只解析*bold*文本并使所有内容转义为<a href="etc">更好.

We're using PHP markdown Extra for the rest of the site, so we'd already have to use a secondary parser (the non-"Extra" version, since things like footnote support is unnecessary).. It also seems nicer parsing only the *bold* text and having everything escaped to <a href="etc">, than generating <b>bold</b> text and trying to strip the bits we don't want..

另外，在相关说明中，我们将WMD控件用于主"站点，但是对于注释，还有哪些其他选择? WMD的javascript预览很好，但是它需要与PHP markdown处理器相同的缓和"(它不能显示图像等，否则有人会提交并且其markdown将中断")

Also, on a related note, we're using the WMD control for the "main" site, but for comments, what other options are there? WMD's javascript preview is nice, but it would need the same "neutering" as the PHP markdown processor (it can't display images and so on, otherwise someone will submit and their working markdown will "break")

目前，我的计划是使用PHP-markdown-> HTML santiser方法，并编辑WMD以从showdown.js中删除图像/标题语法-但这似乎之前已经完成了无数次..

Currently my plan is to use the PHP-markdown -> HTML santiser method, and edit WMD to remove the image/heading syntax from showdown.js - but it seems like this has been done countless times before..

基本上:

• PHP中是否存在安全"降价实现?
• 是否有一个HTML/javascript markdown编辑器，该编辑器可能具有容易禁用的相同选项?

更新:我最终只是通过 HTML净化器运行markdown()输出.

Update: I ended up simply running the markdown() output through HTML Purifier.

通过这种方式，Markdown渲染与输出清理是分开的，后者更加简单(两个未修改的代码库)更安全(您不打算同时进行渲染和清理)，并且更加灵活(您可以具有多种卫生级别，例如对受信任内容的配置比较宽松，对于公共评论的版本则更为严格)

This way the Markdown rendering was separate from output sanitisation, which is much simpler (two mostly-unmodified code bases) more secure (you're not trying to do both rendering and sanitisation at once), and more flexible (you can have multiple sanitisation levels, say a more lax configuration for trusted content, and a much more stringent version for public comments)

推荐答案

PHP Markdown具有清理程序选项，但似乎没有在任何地方进行广告宣传.看一下markdown.php中Markdown_Parser类的顶部(从版本1.0.1m的第191行开始).我们对第209-211行感兴趣:

PHP Markdown has a sanitizer option, but it doesn't appear to be advertised anywhere. Take a look at the top of the Markdown_Parser class in markdown.php (starts on line 191 in version 1.0.1m). We're interested in lines 209-211:

# Change to `true` to disallow markup or entities.
var $no_markup = false;
var $no_entities = false;

如果将其更改为true，则应转义标记和实体，而不要逐字插入.似乎没有任何内置方法可以更改这些内容(例如，通过构造函数)，但是您始终可以添加以下内容:

If you change those to true, markup and entities, respectively, should be escaped rather than inserted verbatim. There doesn't appear to be any built-in way to change those (e.g., via the constructor), but you can always add one:

function do_markdown($text, $safe=false) {
    $parser = new Markdown_Parser;
    if ($safe) {
        $parser->no_markup = true;
        $parser->no_entities = true;
    }
    return $parser->transform($text);
}

请注意，上述函数在每次运行时都会创建一个新的解析器，而不是像提供的Markdown函数(第43-56行)那样对其进行缓存，因此可能有点慢.

Note that the above function creates a new parser on every run rather than caching it like the provided Markdown function (lines 43-56) does, so it might be a bit on the slow side.

这篇关于“安全"用于PHP的markdown处理器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！