MyShaarli/plugins/markdown/README.md
ArthurHoaro e037610115 Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.

More info:

  * the setting is set to true by default
  * it is set to false for anyone who already have the plugin enabled
  (avoid breaking existing entries)
  * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
  * mention the setting in the plugin README
2017-02-28 19:16:54 +01:00

2.3 KiB

Markdown Shaarli plugin

Convert all your shaares description to HTML formatted Markdown.

Read more about Markdown syntax.

Markdown processing is done with Parsedown library.

Installation

As a default plugin, it should already be in tpl/plugins/ directory. If not, download and unpack it there.

The directory structure should look like:

--- plugins
  |--- markdown
     |--- help.html
     |--- markdown.css
     |--- markdown.meta
     |--- markdown.php
     |--- README.md

To enable the plugin, just check it in the plugin administration page.

You can also add markdown to your list of enabled plugins in data/config.json.php (general.enabled_plugins list).

This should look like:

"general": {
  "enabled_plugins": [
    "markdown",
    [...]
  ],
}

Parsedown parsing library is imported using Composer. If you installed Shaarli using git, or the master branch, run

composer update --no-dev --prefer-dist

No Markdown tag

If the tag nomarkdown is set for a shaare, it won't be converted to Markdown syntax.

Note: this is a special tag, so it won't be displayed in link list.

HTML escape

By default, HTML tags are escaped. You can enable HTML tags rendering by setting security.markdwon_escape to false in data/config.json.php:

{
  "security": {
    "markdown_escape": false
  }
}

With this setting, Markdown support HTML tags. For example:

> <strong>strong</strong><strike>strike</strike>

Will render as:

strongstrike

Warning:

  • This setting might present security risks (XSS) on shared instances, even though tags such as script, iframe, etc should be disabled.
  • If you want to shaare HTML code, it is necessary to use inline code or code blocks.
  • If your shaared descriptions contained HTML tags before enabling the markdown plugin, enabling it might break your page.

Known issue

Redirector

If you're using a redirector, you need to add a space after a link, otherwise the rest of the line will be urlencode.

[link](http://domain.tld)-->test

Will consider http://domain.tld)-->test as URL.

Instead, add an additional space.

[link](http://domain.tld) -->test

Won't fix because a ) is a valid part of an URL.