New Code!
Discount has been pushed up to version 1.6.1 because of some fairly hilarious security holes that the users at reddit found when they put discount in to speed things up a little.
A large userbase is wonderful for finding defects, and they’re still finding them, but I’d rather not have exploitable code as the state of the art for everybody to use. So, here’s some New Code! which patches some security holes and tweaks the rendering a little bit to try to make it a bit closer to how the reference dingus works.
Version 1.6.1 fixes
two security holes (scripting attacks via stupid oversights that I never had test cases for) consisting of
- if explicit html is forbidden, I was putting out
a
<then streaming out text until I reached a ‘>’. So if someone did<hi <script>attack<hi</script>, it would work, and - I was being overly greedy about escaping (with \)
"and', so a malformed title string could contain arbitrary text, up to and including scripts.
- if explicit html is forbidden, I was putting out
a
three markdown.pl compatability cases
- lines at the end of a paragraph never get
<br/>‘ed, - blockquotes can be indented up to 3 spaces,
- SETEXT-style header lines can have trailing spaces,
- lines at the end of a paragraph never get
I also tweaked one more markdown.pl compatibility case, in
that list items absorb new paragraphs if they’re indented
at all. The reference implementation is somewhat pathological
about how it treats nested lists (in a way that I do not wish
to follow) but I changed my “subsequent paragraph snarf” code
in markdown.c to absorb paragraphs indented by at least the
indent level of the list (so if the list is indented two spaces,
following paragraphs indented two spaces will be absorbed.)
There are, of course, some more fun standards glitches that the reddit userbase have gleefully discovered in their saturation bombing quality control session, but they weren’t reported until today (and, of course, one of them involves emphasis, which is always fun to try to implement properly) and, more importantly, aren’t fatal, so they’re going to wait for version 1.6.2, which will follow as soon as the rubble isn’t bouncing quite so vigorously as it is now.