Is there a way to prevent abuse of Markdown nesting?

Question

Is there a way to prevent abuse of Markdown nesting?

I am using the PHP Markdown script, available here: http://michelf.com/projects/php-markdown/

Today I noticed that if someone sends a message with text like:

>>>>>>>>>>>>>>>>>> Hello World <<<<<<<<<<<<<<<<<<<<

... Xdebug will result in a fatal error due to over 100 nested function calls. Then I realized that pretty much any markdown syntax could be abused in this way - in many cases unintentionally.

I fixed the problem by replacing the >>>> instances with >\>\>\> , but that doesn't seem like an adequate solution at all.

Has anyone come across this? Is there a better PHP script to format Markdown?

+4

php markdown

Tom Aug 23 '11 at 23:00

source share

1 answer

Ben atkin · Accepted Answer · 2011-08-23T23:13:27+0000

With Markdown, the normal route is to make sure you have good HTML processing to apply later, and then add hacks as needed. For >>>>> simple hack would be:

 preg_replace_callback("|>{5,}|", function($match) { return preg_replace('|.|', '\>', $match[0]); }, $input);

This adds a backslash to the escape sequence > , which are five or more characters in length.

Fortunately, there are attempts to write more robust marker parsers. One such effort is Upskirt based Sundown, which is in C but has a PHP extension: https://github.com/chobie/php-sundown

Is there a way to prevent abuse of Markdown nesting?

More articles: