Not a developer? Go to MovableType.com

Ask an Expert

Allow HTML in comment code blocks

Asked by Charlie Gorichanaz
Posted October 16, 2013, in Featured.

I am using Markdown with Smartypants to process comments similar to the example in the documentation for the filters modifier:

<$mt:CommentBody convert_breaks="0" filters="markdown_with_smartypants"$>

This works great except for when comments include certain HTML or Movable Type tags within code blocks.

For example, if a comment contains:

This is comment text followed by a code block

    <p>Example paragraph</p>

It renders as expected, with the angle brackets changed in the code to HTML character entities so the code appears normal to the viewer. The source code looks like:

<p>This is a comment</p>

<pre><code>&lt;p&gt;test&lt;/p&gt;

But when the code blocks contain HTML tags that are not explicitly allowed in comments via the “Limit HTML tags” setting in “Feedback Settings,” the tags are just omitted. This happens when an MT tag appears in the code block.

For example, if a comment contains:

This is comment text followed by a code block with banned tags

    <mt:Entries>Title: <$mt:EntryTitle$></mt:Entries>

It renders with the banned tags removed. The source code looks like:

<p>This is comment text followed by a code block with banned tags</p>

<pre><code>Title:
</code></pre>

If the code block is entirely banned tags, the code block might not even show up at all on the published page. I found if I added specific Movable Type tags to the “Limit HTML tags” list, I could get them to show up, but that seems tedious, and I’d like an elegant solution. How can I accomplish this?

Back

1 Answer

Charlie Gorichanaz

Charlie Gorichanaz on October 16, 2013, 6:15 p.m. Reply

As you started to figure out, Movable Type automatically performs sanitizing on comments text while it is being output by a <mt:CommentBody> tag. The problem you are having is due to the order of operations, so to speak. MT is filtering out the XML-like (includes MT tags) tags before the text is processed by Markdown with Smartypants. What you want is for the sanitizing to happen after processing by Markdown with Smartypants.

Luckily, Movable Type provides a way for you to influence this via the sanitize modifier.

You could simply turn off sanitizing by adding sanitize="0" to your Comment Detail template:

<$mt:CommentBody sanitize="0" convert_breaks="0" filters="markdown_with_smartypants"$>

This is not recommended, though, as it could allow commenters to break your site layout or cause security problems.

The best solution is to explicitly add sanitize="1" to your Comment Detail template after the Markdown piece:

<$mt:CommentBody convert_breaks="0" filters="markdown_with_smartypants" sanitize="1"$>

If sanitize is not specified, MT automatically sanitizes the content first. By specifying sanitize="1" explicitly, you are telling MT to do normal sanitizing, but in the order you specify, as template tag modifier order is meaningful.

How this works out in your example is the Markdown with Smartypants code will automatically properly encode any tags within code blocks, so by the time MT’s sanitizer sees the content, there are no raw HTML tags left in those code blocks. Any tags outside of code blocks are not escaped by Markdown, and those will be handled as usual through sanitizing. See the Markdown Syntax Documentation for more details on its autoescaping.

Give an Answer

Charlie Gorichanaz

Charlie joined Six Apart as a Japan based product manager for Movable Type in February 2014 after spending two years as a developer for 601am. Previously he was the web director of The Badger Herald while studying biochemistry at the University of Wisconsin-Madison.

Website: http://votecharlie.com/
Twitter: @CNG

Ask An Expert