For user submitted content on website, use textile or html?


#1

I know use another markup language, like wiki syntax or textile is to
prevent javascript injection. But for user who don’t know about wiki
syntax or textile, I’m thinking about just allow them to enter plain
html, parse the content, and reject all questionable tags and
attributes, only allow predefined (safe) tags, like bold or italic,
etc.

Is using html for markup less secure than using non-html markup?
what’s the main reason people use another markup language for user
posted content on website?


#2

what’s the main reason people use another markup language for user
posted content on website?

In order to make their users’ lives miserable, I believe :frowning:

I’ve lost track of how many different markups I’ve had to learn: BBcode,
Twiki, rdoc, markdown, whatever Rubygarden uses, MoinMoin, Trac, pod,
probably others. All have different ways of expressing the most basic
things, like a hyperlink or a level 1 heading. When I come across a
website
which uses a different one again, like Textile, I cringe.

BBcode even uses , presumably only to be different to

Hmph!

Brian.


#3

On 4/12/07, Brian C. removed_email_address@domain.invalid wrote:

BBcode even uses , presumably only to be different to

I hate it too. One good thing is MediaWiki’s toolbar - click on a
button that looks like large text and it will put in a large text
example for you.

These HTML alternatives were not invented for security but for ease of
use, which is ironic

My hope is that a victor will emerge and most wikis will adapt to
support it as an option. Markdown is my favourite because I think the
text looks most like the final product, it’s just that Markdown
desperately needs a syntax for tables.


#4

On Apr 12, 2007, at 4:20 AM, Leslie V. wrote:

Markdown is my favourite because I think the
text looks most like the final product,

I agree. Markdown is under loved. I think it’s a much better fit
for most user entry than Textile, which is over loved, in my opinion.

it’s just that Markdown desperately needs a syntax for tables.

And definition lists, yes.

James Edward G. II


#5

James Edward G. II removed_email_address@domain.invalid writes:

And definition lists, yes.
And custom class=. Pleeaaase!


#6

On 4/12/07, Christian N. removed_email_address@domain.invalid wrote:

it’s just that Markdown desperately needs a syntax for tables.

And definition lists, yes.

And custom class=. Pleeaaase!

I emailed John Gruber and he says tables are definitely coming - but
who knows when? In the meantime, he said that extensions found here
are the best bet: http://www.michelf.com/projects/php-markdown/extra/

Taking a quick look, tables, definition lists and footnote syntax look
the same as in Maruku (Maruku says it implements php-markdown’s
extensions). In any event, the Markdown mailing list discusses
improvements:
http://six.pairlist.net/mailman/listinfo/markdown-discuss

My secret plan is to convert all our company’s technical documentation
to Markdown.

Les


#7

On Apr 13, 2007, at 1:49 AM, Leslie V. wrote:

Taking a quick look, tables, definition lists and footnote syntax look
the same as in Maruku (Maruku says it implements php-markdown’s
extensions).

It looks like there’s Maruku for Ruby too:

http://rubyforge.org/projects/maruku

James Edward G. II