Add a utility module for markdown with embedded scripts #73
Description
It would be useful to be able to use the Ruby-like expression language created by this project, within standalone Markdown files and markdown: blocks. For example:
This could either be done by processing the interpolated blocks then passing the result to the Markdown processor:
<img alt="My Image" src="/assets/my_image-12345.svg" />
Or pre-compiling the Markdown, and then performing interpolation:
<img alt="My Image" src="#{image_url my_image.svg}" />
The second would seem more ideal as it allows the Markdown to be pre-compiled, with the interpolation then just being a sequence of text concatenations, but it assumes that the Markdown processor can be made to accept the #{...} blocks in all such contexts (even if they must be HTML decoded before evaluation).
In either case this should be secure for trusted Markdown as the template text-interpolation logic does HTML encoding of untrusted results, but it is not secure for use with user-provided Markdown, due to the ability to include server-side code in the interpolation blocks, e.g.:
![My Image](#{"\"/><script>alert('pwned!')</script>".html_safe})
<img alt="My Image" src=""/><script>alert('pwned!')</script>/>
Or even constructs that could harm the server. e.g. something that causes excessive resource usage, or taking advantage of in-scope functions or attributes to access secret data, or even modify the system.
Depends on #71