Markdown processor

werchan uses blackfriday as a Markdown processor with some extensions that make formatting easier and more obvious, ideal for preview-less comment systems. For example, it has easy tables, code blocks, and is more lenient toward blank lines (or lack thereof).

It also uses bluemonday to strip potential XSS from user-generated posts.

bluemonday turns this:

Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World

Into a harmless:

Hello World

markdown.go still allows safe inline HTML.

markdown.go

package main

import (
    "github.com/russross/blackfriday"
    "github.com/microcosm-cc/bluemonday"
    "os"
    "io/ioutil"
)

func main() {
    const (
        flags = 0 |
            blackfriday.HTML_USE_XHTML |
            blackfriday.HTML_USE_SMARTYPANTS |
            blackfriday.HTML_SMARTYPANTS_FRACTIONS |
            blackfriday.HTML_SMARTYPANTS_LATEX_DASHES
        extensions = 0 |
            blackfriday.EXTENSION_NO_INTRA_EMPHASIS |
            blackfriday.EXTENSION_TABLES |
            blackfriday.EXTENSION_FENCED_CODE |
            blackfriday.EXTENSION_AUTOLINK |
            blackfriday.EXTENSION_STRIKETHROUGH |
            blackfriday.EXTENSION_SPACE_HEADERS |
            blackfriday.EXTENSION_HARD_LINE_BREAK |
            blackfriday.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
    )
    renderer := blackfriday.HtmlRenderer(flags, "", "")

    input, _ := ioutil.ReadAll(os.Stdin)

    unsafe := blackfriday.Markdown(input, renderer, extensions)
    safe := bluemonday.UGCPolicy().SanitizeBytes(unsafe)

    out := os.Stdout
    out.Write(safe)
}

To post a comment you need to login first.