On 4/2/21 10:59 PM, Walter Bright wrote:
> On 4/1/2021 12:42 PM, Walter Bright wrote:
>> I'm concerned about running arbitrary scripts - what if bad people post malicious scripts that unsuspecting forum readers may run by reading the message? Could the Dfeed server be compromised by them?
> 
> This just showed up on HackerNews:
> 
> https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html 
> 

Walter, the DDOC stuff, and especially the $(SCRIPT) part was a well done April fools joke ;)

To recap:

1. Markdown is implemented, not DDOC
2. There is no arbitrary scripting available.

-Steve

On Friday, 2 April 2021 at 10:23:29 UTC, Vladimir Panteleev wrote:
> On Friday, 2 April 2021 at 10:12:25 UTC, ag0aep6g wrote:
[...]
>> Does the forum even support any HTML tags? If not, there's no point in stripping them. But maybe that's a limitation of the Markdown library you're using.
>
> The implementation does provide a knob with two settings (strip all HTML or allow all HTML). I don't know if it's due to a technical limitation of that particular implementation. I suspect that the reason may be something along the lines of that for the purposes of the formal specification, there should be a simple and clear rule for when sequences of characters are interpreted as HTML vs. when they are not, or something like that.

In my opinion, the proper solution would be to escape HTML before passing the string to the Markdown processor.

So when I enter this:

    <b>bold?</b> **bold!**

First turn it into this:

    &lt;b&gt;bold?&lt;/b&gt; **bold!**

Then pass that to the Markdown processor which turns it into this for the browser:

    &lt;b&gt;bold?&lt;/b&gt; <b>bold!</b>

And newsgroup users get the original input, no "\<" or "&lt;".

The Markdown processor won't strip any tags, because it won't see any to begin with.

On Tuesday, 6 April 2021 at 22:01:42 UTC, ag0aep6g wrote:
> In my opinion, the proper solution would be to escape HTML before passing the string to the Markdown processor.

Escaping all HTML special characters, regardless of context, would break:

- using said characters within code blocks (inline and otherwise), where the Markdown processor treats them verbatim;

- using them in Markdown syntax constructs, such as block quotes (though arguably we only need to escape `<`) and <URL>s (which arguably isn't very useful as we have GitHub auto-links turned on).

So, this transformation would need to be as part of the Markdown parsing process (or otherwise replicate a subset of it, to know when to escape and when not to, which is bound to be fragile).

GitHub's implementation does add a few settings regarding HTML, but they seem to be mainly about allowing certain HTML tags (which we don't want to do, as HTML makes messages less readable in plain text).

FWIW, github.com also strips HTML tags that it does not recognize, and doesn't even warn you.

On 07.04.21 08:16, Vladimir Panteleev wrote:
> Escaping all HTML special characters, regardless of context, would break:
> 
> - using said characters within code blocks (inline and otherwise), where the Markdown processor treats them verbatim;
> 
> - using them in Markdown syntax constructs, such as block quotes (though arguably we only need to escape `<`) and <URL>s (which arguably isn't very useful as we have GitHub auto-links turned on).
> 
> So, this transformation would need to be as part of the Markdown parsing process (or otherwise replicate a subset of it, to know when to escape and when not to, which is bound to be fragile).

Ah, dang it. Never mind then. Thanks for indulging me.