I spent a few evenings this week putting together an online notepad (paste sites are quite useful, for instance notepad.cc) that supported markdown and latex rendering, using the brilliant MathJax project. The site does 3 transformation passes, first turning markdown into html, and then highlighting code with Highlight.js, and rendering math with MathJax.

There are two editting modes, widescreen and narrowscreen. Widescreen gives a live preview on the left and editor on the right, while narrowscreen has a central editor/preview with a toggle between them. With a bit of maintenance code, scrolling/selection is preserved switching between these, so it works rather well even on small screens.

Pages can also be optionally passworded on creation, but cannot be passworded later. They’re still viewable, but need a password to save changes to.

The backend is a Node.js instance backed by a MongoDB database. Using Grasshopper and Mongoose, the server is a single file, and only 100 lines long, which also defines all model and index definitions and error handling. Nginx fronts this server and serves the static files, proxying page requests to node.

Current issue I’m working on is XSS hardiness so the site links can be trusted. Issue is that modern browsers seem to reject obvious attacks such as javascript in source attributes, so testing what is actually vulnerable isn’t so straightforward. I’ve tried a few obvious vectors from http://ha.ckers.org/xss.html, none of which seem to work. I don’t know whether I care to include IE6 as possible targets, given how many attacks work against it.

The DNS changes are still propagating, but it should be available at http://notepag.es sometime today or tomorrow.

If you spot an error and would like to submit a correction, you can view the source for this post on GitHub.