redcarpet performs unnecessary escape for rendered tag #414
Comments
|
Hello @jylitalo, Actually Redcarpet performs such escaping for legacy security reasons (see #82). If you want quotes inside script tags not to be escaped, you need to make sure that they aren't in a paragraph: This will be escaped <script>alert("foo");</script> !
This will not:
<script>alert("bar");</script>I'm giving it a close ; thanks for spotting this ! :-) |
|
This markdown Testing
<script>
var var1 = 'en';
var var2 = '{{ site.url }}'
</script>
Testingends up producing the following HTML with Redcarpet 3.2.0 <p>Testing</p>
<p><script>
var var1 = 'en';
var var2 = ''
</script></p>
<p>Testing</p>Not sure what Im missing -- how do I prevent Redcarpet from putting the tags around the script tags? |
|
@mattberther : Yep, this is a different bug, this has already been fixed with 0f7f500. Normally, this change is included in Redcarpet 3.2.2 (also see #440). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I use rdiscount as markdown parser in jekyll, my liquid tag (at https://github.com/jylitalo/ylitalot-net/blob/master/_plugins/colorbox.rb) will properly render:
<script>$(document).ready(function() {$('a[href$="_l.jpg"]').colorbox();});</script>
If I try to use redcarpet for the same task, it will come out as
<script>$(document).ready(function() {$('a[href$="_l.jpg"]').colorbox();});</script>
which on my case doesn't serve its purpose.
So the problem is that redcarpet somehow seems to escape text from my render method (' character into ' and " to "), while rdiscount seems to trust that plugin produces proper html.
The text was updated successfully, but these errors were encountered: