On Thu, Sep 6, 2012 at 8:22 PM, Thomas Purchas <tpurc...@gmail.com> wrote: > I have submitted a path to improve the way Django handles html in markdown. > Specifically how it escapes it. > > Ticket 6526 has all of the detail, could someone please review my patch. > As the maintainer of the Python-Markdown library, I'll weigh in here.
I'll start by noting that safe-mode was a poorly chosen name for the feature (which was added before I joined the project). Really, it is a means of restricting raw html and IMO, should only always "escape" raw html. However, because of the word "safe" in the name, the feature has grown to support other so-called "safety" features to avoid XSS (for example injecting malicious JavaScript into a markdown style link) etc. That said, I can make no claims that it is actually "safe". The "replace" option is supported for backward compatibility reasons (also why it is still the default) and "remove" is really just a shortcut for "replace" with the "html_replacement_text" set to a blank string. Not sure why anyone would want either of those options. Remove is too surprising to the document author and replace is a lousy (IMO) attempt at an explanation. While escape might not be expected by the author, once noticed, it not nearly as surprising. If someone wants "safe" output from Markdown, I recommend using a library specific to that purpose like bleach [1]. In fact, it would make more sense to me to create a separate "clean" filter (perhaps called "clean_html"?) which calls `bleach.clean()` and provide it as a filter that can be used with any of the markup languages offered by Django. If instead, improvements are only going to be made to the markdown filter, then I would suggest a complete overhaul allowing access to all of markdown's features [2]. For example, markdown outputs xhtml by default. Some may want html - which the markdown lib supports - but the Django filter does not. To me, the markdown filter in its current state is completely useless. I have always had to re-implement my own, more powerful solution. My recommendation is to do one of the following (in order of preference): 1) Remove contrib.markup (per Django's depreciation policy) and leave it to third party apps to support. 2) Completely refactor the markdown filter to support all of the markdown library's features except for "safe_mode" and add a new "clean" filter which can wrap any markup filter. 3) Add a new "clean" filter and simply drop support for Markdown's safe_mode - leaving the rest as is. I do not recommend the approach of the current patch. It leaves a bad taste in my mouth. Also note that I do not recommend supporting Markdown's "safe_mode" in any form. Of course, the Django team will need to make whatever decision will better serve the community - not me. [1]: https://github.com/jsocol/bleach [2]: http://packages.python.org/Markdown/reference.html#markdown -- ---- \X/ /-\ `/ |_ /-\ |\| Waylan Limberg -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
