Asp Forum - for user submitted content on website, use textile or html?

nicknameoptional

4/12/2007 6:26:00 AM

I know use another markup language, like wiki syntax or textile is to
prevent javascript injection. But for user who don't know about wiki
syntax or textile, I'm thinking about just allow them to enter plain
html, parse the content, and reject all questionable tags and
attributes, only allow predefined (safe) tags, like bold or italic,
etc.

Is using html for markup less secure than using non-html markup?
what's the main reason people use another markup language for user
posted content on website?

6 Answers

Brian Candler

4/12/2007 7:44:00 AM

> what's the main reason people use another markup language for user
> posted content on website?

In order to make their users' lives miserable, I believe :-(

I've lost track of how many different markups I've had to learn: BBcode,
Twiki, rdoc, markdown, whatever Rubygarden uses, MoinMoin, Trac, pod,
probably others. All have different ways of expressing the most basic
things, like a hyperlink or a level 1 heading. When I come across a website
which uses a different one again, like Textile, I cringe.

BBcode even uses [b]..[/b], presumably only to be different to <b>..</b>

Hmph!

Brian.

Leslie Viljoen

4/12/2007 9:21:00 AM

On 4/12/07, Brian Candler <B.Candler@pobox.com> wrote:
> > what's the main reason people use another markup language for user
> > posted content on website?
>
> In order to make their users' lives miserable, I believe :-(
>
> I've lost track of how many different markups I've had to learn: BBcode,
> Twiki, rdoc, markdown, whatever Rubygarden uses, MoinMoin, Trac, pod,
> probably others. All have different ways of expressing the most basic
> things, like a hyperlink or a level 1 heading. When I come across a website
> which uses a different one again, like Textile, I cringe.
>
> BBcode even uses [b]..[/b], presumably only to be different to <b>..</b>

I hate it too. One good thing is MediaWiki's toolbar - click on a
button that looks like large text and it will put in a large text
example for you.

These HTML alternatives were not invented for security but for ease of
use, which is ironic

My hope is that a victor will emerge and most wikis will adapt to
support it as an option. Markdown is my favourite because I think the
text looks most like the final product, it's just that Markdown
desperately needs a syntax for tables.

James Gray

4/12/2007 12:38:00 PM

On Apr 12, 2007, at 4:20 AM, Leslie Viljoen wrote:

> Markdown is my favourite because I think the
> text looks most like the final product,

I agree. Markdown is under loved. I think it's a much better fit
for most user entry than Textile, which is over loved, in my opinion.

> it's just that Markdown desperately needs a syntax for tables.

And definition lists, yes.

James Edward Gray II

Christian Neukirchen

4/12/2007 8:37:00 PM

James Edward Gray II <james@grayproductions.net> writes:

> On Apr 12, 2007, at 4:20 AM, Leslie Viljoen wrote:
>
>> Markdown is my favourite because I think the
>> text looks most like the final product,
>
> I agree. Markdown is under loved. I think it's a much better fit
> for most user entry than Textile, which is over loved, in my opinion.
>
>> it's just that Markdown desperately needs a syntax for tables.
>
> And definition lists, yes.

And custom class=. Pleeaaase!

> James Edward Gray II
--
Christian Neukirchen <chneukirchen@gmail.com> http://chneuk...

Leslie Viljoen

4/13/2007 6:50:00 AM

On 4/12/07, Christian Neukirchen <chneukirchen@gmail.com> wrote:
> James Edward Gray II <james@grayproductions.net> writes:
>
> > On Apr 12, 2007, at 4:20 AM, Leslie Viljoen wrote:
> >
> >> Markdown is my favourite because I think the
> >> text looks most like the final product,
> >
> > I agree. Markdown is under loved. I think it's a much better fit
> > for most user entry than Textile, which is over loved, in my opinion.
> >
> >> it's just that Markdown desperately needs a syntax for tables.
> >
> > And definition lists, yes.
>
> And custom class=. Pleeaaase!

I emailed John Gruber and he says tables are definitely coming - but
who knows when? In the meantime, he said that extensions found here
are the best bet: http://www.michelf.com/projects/php-markd...

Taking a quick look, tables, definition lists and footnote syntax look
the same as in Maruku (Maruku says it implements php-markdown's
extensions). In any event, the Markdown mailing list discusses
improvements:
http://six.pairlist.net/mailman/listinfo/markdo...

My secret plan is to convert all our company's technical documentation
to Markdown.

Les

James Gray

4/13/2007 11:49:00 AM

On Apr 13, 2007, at 1:49 AM, Leslie Viljoen wrote:

> Taking a quick look, tables, definition lists and footnote syntax look
> the same as in Maruku (Maruku says it implements php-markdown's
> extensions).

It looks like there's Maruku for Ruby too:

http://rubyforge.org/proje...

James Edward Gray II

comp.lang.ruby

for user submitted content on website, use textile or html?

nicknameoptional

Brian Candler

Leslie Viljoen

James Gray

Christian Neukirchen

Leslie Viljoen

James Gray

x Login to ForumsZone