About Download Docs Changes

Ability to nest markup

Would be nice to have this working:

A **nice** page

that's another issue, but that would be good also:

**The** Home

BTW, the following patch fixes both 

diff -r 3dd109567b0c hatta.py
--- a/hatta.py	Tue Nov 24 14:07:38 2009 +0100
+++ b/hatta.py	Tue Nov 24 14:40:50 2009 +0100
@@ -877,17 +877,19 @@
         return self._line_link(groups)

     def _line_link(self, groups):
-        target = groups['link_target']
+        target = groups['link_target'].strip()
         text = groups.get('link_text')
         if not text:
             text = target
             if '#' in text:
                 text, chunk = text.split('#', 1)
+        else:
+            text = u"".join(self.parse_line(text))
         match = self.image_re.match(text)
         if match:
             image = self._line_image(match.groupdict())
             return self.wiki_link(target, text, image=image)
-        return self.wiki_link(target, text)
+        return self.wiki_link(target, label=text)

     def _line_image(self, groups):
         target = groups['image_target']
@@ -1555,7 +1557,7 @@
     def wiki_link(self, addr, label=None, class_=None, image=None, lineno=0):
         """Create HTML for a wiki link."""

-        text = werkzeug.escape(label or addr)
+        text = label or werkzeug.escape(addr)
         chunk = ''
         if class_ is not None:
             classes = [class_]

This introduces a XSS security hole: 

[[</a><script>something nasty here</script>]]

I also fail to understand the use cases where it's needed, but that's secondary. I will try to add something similar if you really need it, but allowing nesting feels very awkward to me – it moves to a completely new level of parsing problems. – Radomir Dopieralski

Wahiouhh … you're right …

That's weird, I was expecting the self.parse_line to escape it already … I mean, the _line_text function already calls werkzeug.escape so why is it still unescaped ??? Or am I not calling _line_text ? – Ben

You are only calling the self.parse_line when the text is in link label, but in this case the page title itself is used as the label – and it's passed non-parsed and non-escaped. Of course, that's easily fixed by escaping it in the if clause, so the patch is good. The question remains if it's needed, and what are the long-term consequences of adding it to the core. I'm inclined to include it (especially since you did a lot of work finding the right place in the code to add it), but I'm still a little afraid it will complicate the menu handling, the InterWiki links that I plan to add and any link-related browser-side scripts I want to play with. – Radomir Dopieralski

Edit History Backlinks