Markdown Comments in Textpattern
I’ve switched the formatting syntax in the comment processor from Textile to the more well-known Markdown — specifically Michel Fortin’s MarkdownExtra, since I wanted readers to have the access to such amenities as footnotes, tables, and the like.
Fortin’s recommended method of installing MarkdownExtra for Textpattern is to rename markdown.php to classTextile.php and drop this file in place of Textpattern’s old one. This works well but it brings a big security hazard: Markdown syntax explicitly allows the use of plain HTML, but Fortin’s class does no filtering for malicious content (unlike Textile, which has options for escaping all HTML when processing user comments). This means that if you don’t do any extra work, you leave yourself pretty wide open to XSS attacks.
My solution was to bolt on the excellent HTML Purifier package. After installing it on the server, edit the new classTextile.php, and add this line just above the definition for class Textile:
require_once '/path/to/web/plugins/htmlpurifier/HTMLPurifier.standalone.php';
Then change the TextileRestricted function to read as follows:
function TextileRestricted($text, $lite='', $noimage='') {
$purifier = new HTMLPurifier();
$text = $purifier->purify($text);
return $this->TextileThis($text, $lite);
}
