Feature: Make intro text Markdown

[chadwithuhc]

I would like to see the intro text for a post to allow Markdown. When I recently posted something, It took my paragraphs and smashed them all together into one big paragraph. At the very least, can we get some nl2br() going on?

[Remo]

Same here. I'd try to create a pull request for this if we could agree on an approach.

[msurguy]

Thanks @Remo, maybe using Parsedown ( http://parsedown.org/demo) + some sort of sanitizer/purifier (http://htmlpurifier.org/) would do the trick?

The complicated part about this is what HTML tags will be allowed so that there could be no security issues (injecting malicious JS, etc).

Please let's discuss this here and see where we can get.

[Remo]

I was expecting that a markdown parser supports some kind of "safe" option, but it doesn't seem like all of them do. A quick research showed that what you suggest is what most people do.

I think basic formatting options would be enough, what I have in mind:

• bullet lists
• a class for inline code snippets
• a way to emphasis strings (strong)
• support for links
• ability to embed pictures

Last point might be tricky since I'd expect an option to upload pictures as well. Any comments on this?

There are also two different approaches to implement this. We could parse the markdown input when a trick is saved and put actual HTML code in the database, or we could save the markdown input and parse it when the trick is viewed. Parsedown seems to be pretty fast, but performance will always be better if we put HTML code in the database.

[chadwithuhc]

I say basic formatting like Remo mentioned. However, I do not think embedding pictures is necessary, especially since that could bring in concerns of image URL hacks.

What if you only allowed Markdown style text and before processing as Markdown, strip out any HTML to disallow adding of CSS classes, Scripts, etc. That way you will know all HTML generated is from the Markdown processor which is considered safe.

As for saving it in the database, I think it would be better to store as Markdown text because if they want to edit, we will still be showing them the Markdown text and not have to convert it back from HTML to Markdown. Unless you wanted to store the converted version in a separate field as well.

[Remo]

Pictures are certainly not the most important thing but sometimes it's much easier to use a simple illustration to explain something, but I agree that the benefit is probably too small to consider it.

Wouldn't htmlpurifier be the simpler and safer way? If we'd need more tags in the feature, it's easy to add them since htmlpurifier would take care of everything and we wouldn't have to worry about a lot of things.

About the format in the database - we'd of course need to keep the markdown input as well!

[msurguy]

Thanks for your suggestions, guys, I've assigned this issue to v1.3.0 milestone of the project, @stidges and I will explore this in more detail and see if it can be done easily and in secure manner.