Great work what you are doing here. Thanks.
I think both variants are not that good for me. But the
.htaccess is interesting.
md from it to this:
# Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
#RewriteRule \.md$ error [F]
So the markdown is accessable… I checked the rules set on webserver is
775. Are there any security things that is not that good?
I think perhaps there is a XSS problem when in markdown is evil code… but the code can not be injected!?
Here is the result: https://cuterdio.com/user/pages/07.changelog/default.en.md
Now i have to find a rule to remove the metainfos… i think in my case i can search for the first
# starting line.