Allow HTML comments when HTML is disabled about discount HOT 5 CLOSED

Try this patch:

diff --git a/markdown.c b/markdown.c
index dc7deea..ad0ea62 100644
--- a/markdown.c
+++ b/markdown.c
@@ -938,7 +938,7 @@ compile_document(Line *ptr, MMIOT *f)
     int eaten;

     while ( ptr ) {
-       if ( !(f->flags & DENY_HTML) && (tag = isopentag(ptr)) ) {
+       if ( (tag = isopentag(ptr)) && ((tag == &comment) || !(f->flags & DENY_H
            /* If we encounter a html/style block, compile and save all
             * of the cached source BEFORE processing the html/style.
             */

I may put it in, but right now I'm worried about security implications (are there flaws in my html block parser that would let someone sneak malign content into the code) and policy implications (some of the sites that use discount run it with -fnohtml, and may be annoyed if any raw html gets through, even if it's just a comment.)

from discount.

I'll pentest it tomorrow, as I have to sleep right now. If it does turn out to have any security vulnerabilities, you can just strip the comments from output.

from discount.

If I have to wrapper discount to strip comments, I would be better off not specialcasing html comments in the first place.

I'm going to close this issue and query the userbase about whether breaking -fnohtml is a good exchange for always having html comments.

from discount.

Upon further consideration there's already a way to pass comments in regular text,
thanks to the raw: pseudo-protocol.

The snippet

text and begin a comment end

generates

p>text and

without having to wait for any future enhancements to the code.

from discount.

Oh, and it works right now, obviously, if discount is in an allow-html mode.

The example was supposed to be

[begin]: raw:<!--
[end]: raw:-->

text and [begin] a comment [end]

from discount.