search

vmg / sundown

Standards compliant, fast, secure markdown processing library in C
1.99k stars 385 forks source link

HTML not escaped in some cases #13

Closed FSX closed 13 years ago

FSX commented 13 years ago

I've been working on a Python extension for Upskirt and I noticed that in some cases HTML is not escaped in some cases.

Tables?

Does ~this~ work?

So? http://example.com/ \"It\" <b>Test</b> works?

| Function name | Description                    |
| ------------- | ------------------------------ |
| `help()`      | Display the help window.       |
| `destroy()`   | **Destroy your computer!**     |

<div>Stripped **or** \"not\"?</div> Test

Test test test

<div>Test</div>

Results in:

<p>Tables?</p>

<p>Does ~this~ work?</p>

<p>So? <a href="http://example.com/">http://example.com/</a> &quot;It&quot; &lt;b&gt;Test&lt;/b&gt; works?</p>

<p>| Function name | Description                    |
| ------------- | ------------------------------ |
| <code>help()</code>      | Display the help window.       |
| <code>destroy()</code>   | <strong>Destroy your computer!</strong>     |</p>

<div>Stripped **or** \"not\"?</div> Test

Test test test

<div>Test</div>

While this:

Tables?

Does ~this~ work?

So? http://example.com/ \"It\" <b>Test</b> works?

| Function name | Description                    |
| ------------- | ------------------------------ |
| `help()`      | Display the help window.       |
| `destroy()`   | **Destroy your computer!**     |

<div>Stripped **or** \"not\"?</div> Test

Test test test

<p>Test</p>

Results in:

<p>Tables?</p>

<p>Does ~this~ work?</p>

<p>So? <a href="http://example.com/">http://example.com/</a> &quot;It&quot; &lt;b&gt;Test&lt;/b&gt; works?</p>

<p>| Function name | Description                    |
| ------------- | ------------------------------ |
| <code>help()</code>      | Display the help window.       |
| <code>destroy()</code>   | <strong>Destroy your computer!</strong>     |</p>

<p>&lt;div&gt;Stripped <strong>or</strong> &quot;not&quot;?&lt;/div&gt; Test</p>

<p>Test test test</p>

<p>Test</p>

The difference in the two source texts is the the last HTML tag. I parsed both texts with the XHTML_SKIP_HTML render flag and I tested it with my own extension, Redcarpet and the example that is included with Upskirt.

vmg commented 13 years ago

Hey Frank, thanks for reporting this. The HTML filter was missing the case for HTML blocks... I've fixed this in 1.12.2, filtering should be much more robust now. I've changed all the FILTER flags so that the filtered HTML just disappears from the rendered document, instead of showing up as escaped entities.

Shout if you find any more issues.