我希望我的用户能够在 Markdown 中写一篇文章,将其存储在 MySQL 数据库中(可以选择在将来进行编辑),并显示给其他用户。
在实践中,这是我对其工作原理的理解:
输入
$queryInput = mysql_real_escape_string($userInput);输出
$output = Markdown($queryResult);$output是这样吗?
PHP Markdown 是否排除了对htmlspecialcharsor的需要Pure HTML?
谢谢!
I evaluated the use of markdown in PHP some weeks ago (and decided not to use it, by the way). My thoughts:
It might not be a good idea to run the markdown parser each time the output is rendered - parsing the comment is quite expensive and the usual blog comment (as an example) is far more often read than written. You should run the markdown parser BEFORE saving the user input into the database!
Now the really tough problem: Markdown does not do any security checks by itself. All xss attacks are happily passed through. If you now think "no problem, I'll just strip_tags right after getting the user input", think again: it is quite possible that markdown creates the tags containing the XSS while processing the user input. So, you have to check the HTML code created by markdown for security problems - a very hard task which is very error prone. (That was the reason for not using it in my case - the benefit had no good ratio to the potential costs)