减价或HTML [英] Markdown or HTML
问题描述
我要求用户创建,修改和删除他们自己的文章。我计划使用SO用来创建文章的WMD编辑器。
从我可以收集的信息中,我们可以看到降价和HTML。它为什么这样做 - 有什么好处?
我无法决定是否存储减价,HTML或两者。如果我存储了哪一个我检索并转换为显示给用户。
更新:
好的,我认为从目前的答案来看,我应该同时存储降价和HTML。这似乎很酷。我也一直在阅读杰夫关于XSS漏洞的博客文章。由于WMD编辑器允许您输入任何HTML,因此可能会导致一些令人头疼的问题。
有问题的博文是此处。我猜测我必须遵循与SO相同的方法 - 并在服务器端消毒输入。
是否使用了可用作开放源代码的清理代码,或者我必须从头开始这项工作?
任何帮助将不胜感激。
谢谢
在性能和兼容性方面(最终也是社会控制),这两方面都非常有用/有帮助。
如果您仅存储 Markdown非HTML标记),那么每次将其解析为HTML风格都会带来性能成本。这并不总是显而易见的便宜。
如果您仅存储 HTML,那么您将冒着在生成的HTML中无声无息地发现错误的风险。这将导致大量的维护和修复头痛。您还会失去社交控制权,因为您不知道用户实际上填充了什么内容。例如,您可能是管理员,也想知道哪些用户正在尝试使用XSS < script> 等等。另外,最终用户将无法以Markdown格式编辑数据。您需要将其从HTML转换回来。
要在每次更改Markdown版本时更新HTML,只需添加一个代表正在使用的Markdown版本的字段生成HTML输出。只要在检索行的时候在服务器端进行了更改,就可以使用新版本重新解析数据并更新数据库中的行。这只是一次性额外费用。
I have a requirement for users to create, modify and delete their own articles. I plan on using the WMD editor that SO uses to create the articles.
From what I can gather SO stores the markdown and the HTML. Why does it do this - what is the benefit?
I can't decide whether to store the markdown, HTML or both. If I store both which one do I retrieve and convert to display to the user.
UPDATE:
Ok, I think from the answers so far, i should be storing both the markdown and HTML. That seems cool. I have also been reading a blog post from Jeff regarding XSS exploits. Because the WMD editor allows you to input any HTML this could cause me some headaches.
The blog post in question is here. I am guessing that I will have to follow the same approach as SO - and sanitize the input on the server side.
Is the sanitize code that SO uses available as Open Source or will I have to start this from scratch?
Any help would be much appreciated.
Thanks
Storing both is extremely useful/helpful in terms of performance and compatiblity (and eventually also social control).
If you store only Markdown (or whatever non-HTML markup), then there's a performance cost by parsing it into HTML flavor everytime. This is not always noticeably cheap.
If you store only HTML, then you'll risk that bugs are silently creeping in the generated HTML. This would lead to lot of maintenance and bugfixing headache. You'll also lose social control because you don't know anymore what the user has actually filled in. You'd for example as being an admin also like to know which users are trying to do XSS using <script> and so on. Also, the enduser won't be able to edit the data in Markdown format. You'd need to convert it back from HTML.
To update the HTML on every change of Markdown version, you just add one extra field representing the Markdown version being used for generating the HTML output. Whenever this has been changed in the server side at the moment you retrieve the row, re-parse the data using the new version and update the row in the DB. This is only an one-time extra cost.
这篇关于减价或HTML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
