将Markdown解析委托给客户端有什么缺点?
[英]What are the downsides of delegating Markdown parsing to the client side?
问题描述
I'm planning on including Markdown in a coming project. 
我打算在即将到来的项目中加入Markdown。 In the past, I've just used a pre-packaged server-side Markdown parser, re-sanitized the HTML output (an unnecessary step?) and shipped it off to the client. 在过去,我刚刚使用了预打包的服务器端Markdown解析器,重新清理了HTML输出(这是一个不必要的步骤?)并将其发送给客户端。
I'm interested in offloading at least this portion of the view rendering to the client. 我有兴趣将至少这部分视图渲染卸载到客户端。 I've used client-side Javascript Markdown parsers with great success in Rails applications before. 我以前在Rails应用程序中使用了客户端Javascript Markdown解析器并取得了巨大成功。 I'd delegate the body object to watch for DOM insertions of class markdown-parseme or the like and then to parse it and replace the original text with the result. 我委托body对象来监视class markdown-parseme之类的DOM插入,然后解析它并用结果替换原始文本。
But this is the first time I'm considering it for an in-the-wild production site. 但这是我第一次考虑将其用于野外生产网站。 What are the gotchas and security concerns when letting the client handle Markdown rendering? 让客户端处理Markdown渲染时会遇到什么问题和安全问题? Are there any specific libraries that take these issues into account? 是否有任何特定的库将这些问题考虑在内?
EDIT: the obvious concern that springs to mind is "what about those without Javascript". 编辑:脑海中浮现的明显问题是“那些没有Javascript的人”。 It is perfectly within our capabilities to detect browsers that don't have Javascript enabled and to implement a mechanism that will allow clients to (perhaps manually) flag that they don't have JS and to move parsing to the server side. 检测没有启用Javascript的浏览器并实现允许客户端(可能手动)标记他们没有JS并将解析移动到服务器端的机制完全在我们的能力范围内。 I would very much like to investigate if there are serious issues with offloading Markdown parsing to the client beyond this ordinary question of compatibility. 我非常想调查是否存在严重的问题,除了这个普通的兼容性问题之外,将Markdown解析卸载到客户端。 Rendering a decently-sized page without output caching is adding a non-negligible amount to the response time and through that, the server load, and it would be nice if we could be confident in moving that task off the server for 95% of users. 渲染一个没有输出缓存的大小合适的页面会增加一个不可忽略的响应时间,通过它,服务器负载,如果我们有信心将该任务从95%的用户移出服务器,那将是很好的。
3 个解决方案
解决方案1
3 2013-06-14 08:21:55
解决方案2
1 2011-01-24 21:10:52
The assumption that the client is capable of parsing Markdown syntax might be incorrect (at least for some people and for search engines). 客户端能够解析Markdown语法的假设可能不正确(至少对于某些人和搜索引擎而言)。 If you provide theses groups with a server-parsed version, you duplicate code. 如果为这些组提供服务器解析版本,则复制代码。 The server usually has more powerful tools to prevent XSS and the like (because that is what servers do: generate HTML from user content in a safe way). 服务器通常具有更强大的工具来防止XSS等(因为这就是服务器所做的事情:以安全的方式从用户内容生成HTML)。
解决方案3
0
markdown-js isn't finished yet but it's a JavaScript library for a subset of markdown that uses an AST rather than different stages of HTML conversion. markdown-js尚未完成,但它是一个JavaScript库,用于降序的一个子集,它使用AST而不是HTML转换的不同阶段。 It should produce sane HTML right from the start. 它应该从一开始就产生理智的HTML。 I think that this approach, if executed properly, will make rendering markdown on the client side practical. 我认为这种方法,如果执行得当,将使客户端的渲染降价变得切实可行。
It intentionally doesn't support embedded HTML. 它故意不支持嵌入式HTML。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.