Closed jylitalo closed 10 years ago
robin850
commented
10 years ago Hello @jylitalo,
Actually Redcarpet performs such escaping for legacy security reasons (see #82). If you want quotes inside script tags not to be escaped, you need to make sure that they aren't in a paragraph:
This will be escaped <script>alert("foo");</script> !
This will not:
<script>alert("bar");</script>I'm giving it a close ; thanks for spotting this ! :-)
mattberther
commented
9 years ago This markdown
Testing
<script>
var var1 = 'en';
var var2 = '{{ site.url }}'
</script>
Testingends up producing the following HTML with Redcarpet 3.2.0
<p>Testing</p>
<p><script>
var var1 = 'en';
var var2 = ''
</script></p>
<p>Testing</p>Not sure what Im missing -- how do I prevent Redcarpet from putting the
tags around the script tags?
robin850
commented
9 years ago @mattberther : Yep, this is a different bug, this has already been fixed with https://github.com/vmg/redcarpet/commit/0f7f50056c75e61ea6c9867b07b796a0f64ab564. Normally, this change is included in Redcarpet 3.2.2 (also see #440).
When I use rdiscount as markdown parser in jekyll, my liquid tag (at https://github.com/jylitalo/ylitalot-net/blob/master/_plugins/colorbox.rb) will properly render: <script>$(document).ready(function() {$('a[href$="_l.jpg"]').colorbox();});</script>
If I try to use redcarpet for the same task, it will come out as <script>$(document).ready(function() {$('a[href$="_l.jpg"]').colorbox();});</script> which on my case doesn't serve its purpose.
So the problem is that redcarpet somehow seems to escape text from my render method (' character into ' and " to "), while rdiscount seems to trust that plugin produces proper html.