Markdown processor
werchan uses blackfriday as a Markdown processor with some extensions that make formatting easier and more obvious, ideal for preview-less comment systems. For example, it has easy tables, code blocks, and is more lenient toward blank lines (or lack thereof).
It also uses bluemonday to strip potential XSS from user-generated posts.
bluemonday turns this:
Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World
Into a harmless:
Hello World
markdown.go still allows safe inline HTML.
markdown.go
package main
import (
"github.com/russross/blackfriday"
"github.com/microcosm-cc/bluemonday"
"os"
"io/ioutil"
)
func main() {
const (
flags = 0 |
blackfriday.HTML_USE_XHTML |
blackfriday.HTML_USE_SMARTYPANTS |
blackfriday.HTML_SMARTYPANTS_FRACTIONS |
blackfriday.HTML_SMARTYPANTS_LATEX_DASHES
extensions = 0 |
blackfriday.EXTENSION_NO_INTRA_EMPHASIS |
blackfriday.EXTENSION_TABLES |
blackfriday.EXTENSION_FENCED_CODE |
blackfriday.EXTENSION_AUTOLINK |
blackfriday.EXTENSION_STRIKETHROUGH |
blackfriday.EXTENSION_SPACE_HEADERS |
blackfriday.EXTENSION_HARD_LINE_BREAK |
blackfriday.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
)
renderer := blackfriday.HtmlRenderer(flags, "", "")
input, _ := ioutil.ReadAll(os.Stdin)
unsafe := blackfriday.Markdown(input, renderer, extensions)
safe := bluemonday.UGCPolicy().SanitizeBytes(unsafe)
out := os.Stdout
out.Write(safe)
}
To post a comment you need to login first.