Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

DoeJohn's avatar

Markdown VS HTML + Purifier? Please help me decide!

I'm creating a website where users can submit:

  • Blog posts (Articles)
  • Comments
  • Forum posts

Rich text is necessary and this website will be used by used by non-technical folks (usually older people) - therefore, WYSIWYG editor is required.

I have to decide between using Markdown or HTML (+ Purifier). Here is how I currently see things in terms of good/bad:

MARKDOWN

1. WYSIWYG EDITOR - I was quite surprised when I discovered that there are no Markdown WYSIWYG editors. Actually, the only one that is actively maintained is: https://github.com/nhnent/tui.editor

I really liked that editor, it works great, but the only thing that I don't like is the size of it: minified version (tui-editor-Editor.min.js) is ~300 KB.

Most of the other Markdown editors are not WYSIWYG. There are some editors that are something between. For example, SimpleMDE is not WYSIWYG (but "WYSIWYG-esque") and I want to avoid it (also, it looks like it is not actively maintained anymore).

If you know a good WYSIWYG Markdown editor that is actively maintained, please let me know.

2. YOUTUBE - YouTube videos can't be added directly (when using markdown). I know about some workarounds like this, but that's not an option.

This should not be a problem if one of the packages:

supports autolinking and provides the ability to add a custom rule which will recognize YouTube links and automatically embed them.

But I did not use these packages... so is that possible?

HTML

On the other side, there are many really good HTML WYSIWYG editors. But I see two problems:

1. Security - I will need to use HTML Purifier in order to prevent XSS attacks. Correct me if i'm wrong: when using ezyang/htmlpurifier package - you are 100% safe, there are no XSS vulnerabilities, right?

2. YouTube - Correct me if I'm wrong, but when using HTML Purifier, it is not possible to embed YouTube videos directly because of <iframe>?

0 likes
7 replies
Vilfago's avatar

As far as I know, markdown will be converted to html for being displayed... so you can have the same security for embedded videos of you configure correctly your purifier.

Purifier should work with a "white list" of things allowed, and escape everything else, so if it's well configured, you should be safe...

I don't know for markdown, but you can find WYSIWYG editors in BBcode. And you can often add many labels to support what you want, and convert it to html in the back-end.

I think you should try to find the one with the most relevant UI for your users, they will never been interested if it's markdown, bbcode or html in the back. That's your job ;)

Both are safe if you handle it properly, and both could handle anything you want.

Nash's avatar

HTML:

  1. Purifier will remove scripts and unwanted attributes (e.g. onhover) if configured to do so.

  2. You can embed YouTube videos, you just need to configure the white list to allow iframes. You can even specify the allowed URL's (e.g. allow embeds from YouTube and Vimeo but nothing else).

Markdown is just plain text so it doesn't really need an actual "editor" (front end plugin)? You should use Purifier in any case, since your Markdown will be converted into HTML when displayed on your site.

Technically, there's nothing stopping you from having both. For example, Reddit supports both Markdown and a "fancy pants editor" now.

DoeJohn's avatar

@Vilfago @Nash Thanks for the answers!

You should use Purifier in any case, since your Markdown will be converted into HTML when displayed on your site.

Hmm, I was thinking that you don't need Purifier when using CommonMark because if html_input is set to escape or strip and allow_unsafe_links is set to false- according to the documentation - you should be safe, right?

Nash's avatar

Yes, that seems to be the case...as long as whatever package you use can remove unwanted HTML and scripts.

Vilfago's avatar

I choose BBcode, I use htmlspecialchars on user input, and then convert bbcode to html.

So no purifier on my side, but a white list of bbcode that could be converted (with some regex).

DoeJohn's avatar

I used BBCode before on some of my projects and I really like it:

PROS:

  • Easy to understand & more user-friendly than Markdown or HTML;
  • There are some good WYSIWYG BBCode editors such as SCEditor
  • Finally, it's easy to add custom tags (rules), for example:
[youtube]https://www.youtube.com/watch?v=2pLL00WR5iU[/youtube]

or

[youtube]2pLL00WR5iU[/youtube]

CONS:

I've always had trouble finding good, fast and actively maintained parser/converter.

There are not many packages for "parsing"/converting BBCode to HTML, and most of them are based on kaimallea's regex "parser" which fails at complex, nested tags. In fact, every Laravel BBCode converter package uses kaimallea's regex solution.

There are a few other PHP solutions (packages) that are available, but none of them is actively maintained and each has some fails at complex BBCode structures, especially when it comes to nested tags.

phpBB and MyBB have really good BBCode converters, which are also based on regex but way more complex than kaimallea's solution.

I wonder if it's somehow possible to get their converters and use them in our (Laravel) PHP projects? I remember that once I tried to analyze how phpBB's converter works (in order to use it in my Laravel project), but the code was too complex for me and I didn't have enough time.

It would be really great if we could use phpBB or MyBB converters in our own PHP (Laravel) projects!

Vilfago's avatar

I coded myself the converter, but it's very similar to kaimallea (unless I didn't use regex for simple tag such as [b] => , but only str_replace().

I just used isU as regex converter instead of is, so add the "ungreedy" mode. I don't see any issues in nested tags, but didn't try very complex code. Have you any example of failed nested tags ?

If it passes, I can share you my work.

Please or to participate in this conversation.