How do you secure Markdown so that it does not allow javascript with rails?
I see guruza does it as this link should popup an alert but does not work here.
People succeed in answering kris's questions 14% of the time (1 success in 7 attempts).
Answers by: Zachary Holt | Rich Collins
The above was this (compare the code):
<a name="test" onclick="window.alert('hi!');">test</a>
It looks like all the
onwhateverattributes are stripped. You can do that with a regular expression.
Actually, there's more processing than that going on, because I used double quotes on the name attribute. It's got single quotes in the resulting HTML.
The "roundtripping" isn't quite complete. My hunch is that it's a regular expression that checks for both single and double quotes, but always slaps single quotes back into place.
Zachary, thanks for your help, but its actually very complicated to remove all edge case from the html. The sanatize method Rich pointed out is what I was looking for.
Cheers.