On 12/15/05, Sam Joseph <sam neurogrid.com> wrote:
> markdown couldn't handle an acute accent (`) e.g.
>
> Hawai`i
>
> It seems that acute accents (or backticks) in Markdown
signify code
> segments, and it seems there's an open ticket for
this:
>
>
http://www.deveiate.org/projects/BlueCloth/ticket/24
I would just like to bring this to everyone's attention
again because
this problem just came up on my own site. The entire front
page was
brought down by a single post which had the string
"``" in it,
although the "Hawai`i" example above works just
as well.
I did _not_ and still do _not_ expect a text formatting
function like
markdown to throw exceptions, but it does. All you need are
unmatched
back-ticks in the text, although if you search the source of
bluecloth.rb, you can find plenty of instances of the word
"raise"...
I searched around on Google for sites offering Markdown
styling of
comments, and brought a few preview pages down with a
message as
simple as "``Thanks.''" I wasn't rude enough
to experiment by actually
publishing the comment, but it clearly would have brought
down the
post being commented upon, any administration interface
which
attempted to render the comment, etc.
Basically, if you are using BlueCloth, treat it as unsafe.
Catch
exceptions. You'll save yourself a few frustrating
"Application Error"
pages on some of the rare edge cases, and protect yourself
from one of
the simplest DoS attacks I've seen.
> CHEERS> SAM
Sincerely,
Tom Lieber
http://AllTom.com/
http://GadgetLife.org/
_______________________________________________
Rails mailing list
Railslists.rubyonrails.org
h
ttp://lists.rubyonrails.org/mailman/listinfo/rails
|