tag:blogger.com,1999:blog-336308386934546555.post7495962090909617820..comments2010-01-20T15:11:12.275+08:00William Shieldshttp://www.blogger.com/profile/18356811199950883367noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-336308386934546555.post-15187087141305483322010-01-20T15:11:12.275+08:002010-01-20T15:11:12.275+08:00You guys haven&#39;t even LOOKED at the MarkdownSharp code, obviously.<br /><br />William, are you 100% sure nobody else has defined a grammar for Markdown yet?Jeff Atwoodhttp://codinghorror.myopenid.com/noreply@blogger.comtag:blogger.com,1999:blog-336308386934546555.post-75878485068260684072010-01-16T11:29:35.122+08:002010-01-16T11:29:35.122+08:00The XSS aspect is interesting and something that hadn&#39;t occurred to me. MarkdownSharp appears to still use the hash code so I guess would be vulnerable to XSS.<br /><br />I wonder if that means Stackoverflow is subject to XSS in the same way since I assume SO uses MarkdownSharp?William Shieldshttp://www.blogger.com/profile/18356811199950883367noreply@blogger.comtag:blogger.com,1999:blog-336308386934546555.post-75973962188105379632010-01-16T11:18:34.129+08:002010-01-16T11:18:34.129+08:00Ha! A match made in heaven!<br /><br />Gruber&#39;s design &#39;escapes&#39; blocks by replacing them with their hashcodes, but if the original input contains the same hashcodes — welcome to XSS city!<br /><br />Some people have &#39;fixed&#39; this hole by salting the MD5 replacements so an attacker can&#39;t guess them.Fred Blasdelhttp://www.blogger.com/profile/08057528812732998703noreply@blogger.comtag:blogger.com,1999:blog-336308386934546555.post-47396793848916008712010-01-16T08:52:04.758+08:002010-01-16T08:52:04.758+08:00MarkdownSharp replaces blocks with hashcodes so they won&#39;t be affected by subsequent regexes. I suspect this must be the equivalent of the MD5 hashing you refer to (I haven&#39;t looked at the original Markdown source).William Shieldshttp://www.blogger.com/profile/18356811199950883367noreply@blogger.comtag:blogger.com,1999:blog-336308386934546555.post-7807680425018113392010-01-16T07:45:00.610+08:002010-01-16T07:45:00.610+08:00<a href="http://michelf.com/projects/php-markdown/" rel="nofollow">The PHP Markdown changelog</a> should give you at least a hundred bugs in Markdown.pl to test against — he started with a straight transliteration (much like MarkdownSharp), and gradually made it less shitty. <a href="http://code.google.com/p/pandoc/wiki/PandocVsMarkdownPl" rel="nofollow">Here&#39;s some more from the author of Pandoc</a>.<br /><br />You&#39;re doing the right thing by completely rewriting it using real tools instead of multi-pass regex spaghetti.<br /><br />Atwood and Gruber really do deserve each other — does MarkdownSharp replicate Markdown.pl&#39;s ridiculous MD5-based escaping mechanism?Fred Blasdelhttp://www.blogger.com/profile/08057528812732998703noreply@blogger.comtag:blogger.com,1999:blog-336308386934546555.post-52921997573000890842010-01-15T16:22:10.884+08:002010-01-15T16:22:10.884+08:00I think having the p elements inside the list items is for this use case:<br /><br />* paragraph 1<br /><br /> paragraph 2 (still inside list item)<br /><br />* paragraph 3Mike Wellerhttp://www.blogger.com/profile/07165673241751830326noreply@blogger.com