add HTML_SKIP_SCRIPT

[qingfeng]

pls, review... thanks

[FSX]

Seems good to me. Looks like a good addition. Thanks!

I don't want the Sundown C files in Misaka to be different from the the original Sundown C files, because it makes updating the Sundown files harder. So I'm planning to maintain my own Sundown fork for Misaka, because Sundown isn't really maintained anymore. Only the Sundown C code in Redcarpet.

I'll get that done first and notify you. I can commit the changes for you and mention you or you send a new pull request.

[qingfeng]

I'll get that done first and notify you. I can commit the changes for you and mention you or you send a new pull request.

OK :)

[FSX]

Some unit tests need to be made to ensure nothing (1) comes through.

[qingfeng]

Some unit tests need to be made to ensure nothing (1) comes through.

done~ pls, review~

[FSX]

Reviewing, need some more time.

[FSX]

The code that recognizes tags in Sundown isn't really good. If you, for example, write the <script> tags in uppercase characters they won't be filtered out. And it means that it itsn't really safe to use.

I'm going to do some research on making this better.

[qingfeng]

style tags have the same problem? @FSX

[FSX]

Yes, everything that deals with tag skipping.

[FSX]

I almost forgot this, but we also need to check tag attributes that can contain JavaScript.

[qingfeng]

I almost forgot this, but we also need to check tag attributes that can contain JavaScript.

Can you give an example? thanks

[FSX]

Things like this:

<img src="javascript:alert('bleep')">
<img src="image.jpg" onmouseover="javascript:alert('bleep')">

[qingfeng]

So, you want to

before:

<img src="javascript:alert('bleep')">

after:

<img src="">

Like this?

[FSX]

Yes.