Embed HTML as code blocks in comments

  • Can't embed HTML code with Markdowns code-block feature, see http://daringfireball.net/projects/markdown/syntax#precode

    And HTML cannot be even postet if set in backticks!

    HTML element link is always removed. Seee this block (is not visible!?):

    <link href="/apple-touch-icon.png" rel="apple-touch-icon-precomposed" type="image/png">
    <link href="/apple-touch-icon.png" rel="apple-touch-icon" type="image/png">
    <link href="/apple-touch-icon.png" rel="icon" type="image/png">
    <link href="/apple-touch-icon.png" rel="shortcut icon" type="image/png">
    <link href="/favicon.ico" rel="shortcut icon" type="image/x-icon">
    

    my posting was (see image):



    I have write the HTML as:

    < link href="/apple-touch-icon.png" rel="apple-touch-icon-precomposed" type="image/png">
    < link href="/apple-touch-icon.png" rel="apple-touch-icon" type="image/png">
    < link href="/apple-touch-icon.png" rel="icon" type="image/png">
    < link href="/apple-touch-icon.png" rel="shortcut icon" type="image/png">
    < link href="/favicon.ico" rel="shortcut icon" type="image/x-icon">
    

    Your HTML filter is to rectricted!

  • HTML has to be restricted or these forums risk abuse from outside vectors. Hackers have a huge arsenal of XSS vectors hidden within the depths of the HTML specification and if the HTML filter is eased up here, these forums will be at the mercy of 3rd parties that seek to do harm here.

  • @ngamer01
    Did you understand my post? I wrote:

    Can't embed HTML code with Markdowns code-block feature

    The Markdown code-block feature escapes securly HTML.

    HTML has to be restricted or these forums risk abuse from outside vectors

    < irony > OMG! Yes, HTML is bad, bad unsecure Markup, not the browsers ;) < /irony >

    Is &lt;script&gt;alert(42)&lt;/script&gt; a risk?
    No, because, this is not executable by browsers!

    Is &lt;link src=&quot;bad.js&quot;&gt;alert(42)&lt;/link&gt; unsecure?
    No, because, this is not executable by browsers!

    Do you think people will post ugly UTF-7 encoded for injection in browsers?

    Hackers have a huge arsenal of XSS vectors

    Yes, i know. As webdeveloper i know the secrets of XSS and XSRF :)

    if the HTML filter is eased up here, these forums will be at the mercy of 3rd parties that seek to do harm here

    As a result, nobody can post correct examples for code here. One has to link to gists or pastebins from outside.

    Asking for problems with browser bugs will hadicap people, if they cant post the relevant code.

    OK, my fault, a support forum should not be a place for professional questions.
    Thanks a lot.

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.