How to: Line break creates a line break

[josephernest]

In usual Markdown, "creating a line break doesn't create a line break" :

Hello there!
I'm here.

will produce this with Parsdown:

Hello there! I'm here.

---

How to do in order that a line break really creates a line break ?
Can we enable this with an option added to :

require 'Parsedown.php';

?

[kminchev]

As per Markdown documentation, line breaks are added with 2 empty spaces at the end. You can enable automatic line breaks so every 'enter' will produce line break. More info here: https://github.com/erusev/parsedown/wiki/Usage

[josephernest]

Thanks @kminchev !
So the solution was simply to add ->setBreaksEnabled(true) to the Parsedown instance, very easy!

A last thing: I'm doing a forum (in which the users write in Markdown), how to disable user input of <script>, etc. (for safety) ? Is there something built-in in Parsedown to prevent <script> in user input?

[hkdobrev]

@josephernest If you look a bit below in the same wiki page you'd find the setMarkupEscaped option which would simply disable HTML in Markdown. It will actually escape it and return it with HTML entities.

You could also prevent some XSS attacks from user-generated content with the modifications from @naNuke here: #276 (not yet merged!).

[josephernest]

Thanks @kminchev . I saw this option, but in fact I would like to enable HTML in Markdown for "normal things" like <table>, <img>, video embedding, etc. but disable HTML only for <script> and other dangerous things.

How to allow a part of HTML, but disable another (<script>, etc.) ?

[naNuke]

For that you need to run markdown result through DOM parser and blacklist script tags.

http://simplehtmldom.sourceforge.net
http://php.net/manual/en/book.tidy.php

[josephernest]

@naNuke Which one would you use for just blocking <script>? simplehtmldom or tidy ? Or do you mean it's needed to use both?
Would you have a short example?
I think it would be useful for a wide audience (block script, but keep the rest of html => useful to embed videos, etc.)

[naNuke]

@josephernest There is also http://htmlpurifier.org and http://php.net/manual/en/class.domdocument.php I think all these libraries can provide filtering of some sort, but I am not that familiar with them to write you an example for each but good partner for Parsedown would be the native domdocument to keep it fast.

You just pass your parsed markdown as parsedown outputs it into a domdocument object as source, then getElementByTagName('script') and remove all of those, everything you need is in the documentation and theres plenty of examples on stackoverflow :)

Also if you concern is user submitted javascript then you should remove all events as well, onclick etc...

[hkdobrev]

You can also use the Content-Security-Policy headers to whitelist only known and approved asset sources and to disallow inline JavaScript.

http://www.html5rocks.com/en/tutorials/security/content-security-policy/