Use Markdown parser for comment text

[samnabi]

It doesn't look like this plugin takes advantage of the built-in markdown parser.

[florianpircher]

Text is parsed as Markdown. message().

[samnabi]

Oh, my mistake. I noticed my smartypants settings (curly quotes, etc.) weren't being applied to the comment text. I thought markdown handled that. It turns out kirbytext() is the function that parses through smartypants.

Would you consider using kirbytext() instead of markdown() in the message() function?

[florianpircher]

kirbytext() is dangerous, as you are able to access custom kirbytext extensions when writing a comment.

[samnabi]

It would expand the commenter's ability to insert inline YouTube videos, or properly obfuscated email addresses. I don't think this is inherently dangerous.

On second thought, this does add a degree of complexity and site owners might not realize that their commenters can use kirbytags.

How about just running the smartypants filter after markdown(): https://github.com/getkirby/kirby/blob/fe9d8c5e70a3d73a41e3f3e10cb0fb62fc3a2611/core/kirbytext.php#L55

[florianpircher]

Some thoughts:

• Inline YouTube-videos may violate the privacy of your users by exposing their visit to YouTube
• Kirby developers are able to write their own kirbytext extensions, which might offer greater attack vectors than the default kirbytext “tags”. (a “read file” kirbytext extension might be a good idea for inserting text-snippets, but it is able to expose secrete config files)

Applying smartypants is a good for English websites, but it may be an issue when writing comments in different languages. I think it’s best to offer smartypants as an option.

[samnabi]

Smartypants settings can be applied per-language: https://forum.getkirby.com/t/is-it-possible-to-change-options-for-smartypants-dependent-on-the-language/1940

[florianpircher]

I will add an option for smartypants (default: enabled), so that it can be disabled for certain languages.