werc Bringing minimalism and sanity to the web

Markdown processor

werchan uses blackfriday as a Markdown processor with some extensions that make formatting easier and more obvious, ideal for preview-less comment systems. For example, it has easy tables, code blocks, and is more lenient toward blank lines (or lack thereof).

It also uses bluemonday to strip potential XSS from user-generated posts.

bluemonday turns this:

Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World

Into a harmless:

Hello World

markdown.go still allows safe inline HTML.


package main

import (

func main() {
    const (
        flags = 0 |
            blackfriday.HTML_USE_XHTML |
            blackfriday.HTML_USE_SMARTYPANTS |
            blackfriday.HTML_SMARTYPANTS_FRACTIONS |
        extensions = 0 |
            blackfriday.EXTENSION_NO_INTRA_EMPHASIS |
            blackfriday.EXTENSION_TABLES |
            blackfriday.EXTENSION_FENCED_CODE |
            blackfriday.EXTENSION_AUTOLINK |
            blackfriday.EXTENSION_STRIKETHROUGH |
            blackfriday.EXTENSION_SPACE_HEADERS |
            blackfriday.EXTENSION_HARD_LINE_BREAK |
    renderer := blackfriday.HtmlRenderer(flags, "", "")

    input, _ := ioutil.ReadAll(os.Stdin)

    unsafe := blackfriday.Markdown(input, renderer, extensions)
    safe := bluemonday.UGCPolicy().SanitizeBytes(unsafe)

    out := os.Stdout

To post a comment you need to login first.