Rails - Aug 2006 - BlueCloth throws exceptions! Be careful! (was: auto_link fails to handle tilda''s (~) and markdown fails to handle acute accent (`))

On 12/15/05, Sam Joseph <sam@neurogrid.com> wrote:
> markdown couldn''t handle an acute accent (`) e.g.
>
> Hawai`i
>
> It seems that acute accents (or backticks) in Markdown signify code
> segments, and it seems there''s an open ticket for this:
>
> http://www.deveiate.org/projects/BlueCloth/ticket/24
I would just like to bring this to everyone''s attention again because
this problem just came up on my own site. The entire front page was
brought down by a single post which had the string "``" in it,
although the "Hawai`i" example above works just as well.

I did _not_ and still do _not_ expect a text formatting function like
markdown to throw exceptions, but it does. All you need are unmatched
back-ticks in the text, although if you search the source of
bluecloth.rb, you can find plenty of instances of the word "raise"...

I searched around on Google for sites offering Markdown styling of
comments, and brought a few preview pages down with a message as
simple as "``Thanks.''''" I wasn''t rude
enough to experiment by actually
publishing the comment, but it clearly would have brought down the
post being commented upon, any administration interface which
attempted to render the comment, etc.

Basically, if you are using BlueCloth, treat it as unsafe. Catch
exceptions. You''ll save yourself a few frustrating "Application
Error"
pages on some of the rare edge cases, and protect yourself from one of
the simplest DoS attacks I''ve seen.
> CHEERS> SAM
Sincerely,

Tom Lieber
http://AllTom.com/
http://GadgetLife.org/