我有一个包含一些降价的textarea。我不希望用户在其中发布html,除非它在像
这样的降价代码块中``` someLanguageCode
<span>some html inside markdown code block</span>
```
我不想在markdown代码块之外允许任何html。所以这是非法的:
<span>some html tag outside code block</span>
<div>some more multiline html code outside
</div>
``` someLanguageCode
<span>some html inside markdown code block</span>
```
我能够获得单行html标签的正则表达式。 <([a-zA-Z][a-zA-Z0-9]*)\b[^>]*>(.*?)<\/\1>
我无法
我已经制作了jsfiddle来解决这个问题,该问题显示应该匹配或应该被拒绝的内容。
我这样做是为了避免明显的XSS注射。
答案 0 :(得分:2)
正如评论中已经提到的那样,你不应该尝试用正则表达式解析整个HTML。我想你最后要删除标签并将其标记为无效。我创建了一个jsfiddle,我在其中放置了一些解析结构的代码,使您可以在降价区域或外部应用代码:
var valid = '``` someLanguageCode'+
'<span>some html inside markdown code block</span>'+
'```'; // Valid string
var broken = '``` someLanguageCode'+
'<span>some html inside markdown code block</span>'; //Markdown not closed (broken string)
var not_valid = '<span>Me is outside.</span>'+
'``` someLanguageCode'+
'<span>some html inside markdown code block</span>'+
'```'; // Not valid string
var s = not_valid; //Change this to test
document.getElementById('code').innerHTML = check_html_in_markdown(s);
function check_html_in_markdown(s){
s = s.split(/```/);
//Check if markdown blocks are closed correctly
var is_broken = false;
if(s.length % 2 == 0){ //odd number of markdown ``` means not closed
is_broken = true;
alert('Markown is broken');
}
if(!is_broken){
var in_markdown = false;
for(var i in s){
in_markdown = i % 2 == 1;
if(!in_markdown){
//Code to find HTML-Tags and replace them
s[i] = s[i].replace(/<[a-z\/][^>]*>/g, ' **Your replacement** ');
} else {
//Here you can do nothing or check with a HTML-Parser if there is valied HTML
}
}
}
return s.join('```');
}