https://bitbucket.org/ionata/django-bleach
On Thursday, September 6, 2012 at 10:48 PM, Waylan Limberg wrote: > On Thu, Sep 6, 2012 at 8:22 PM, Thomas Purchas <tpurc...@gmail.com > (mailto:tpurc...@gmail.com)> wrote: > > I have submitted a path to improve the way Django handles html in markdown. > > Specifically how it escapes it. > > > > Ticket 6526 has all of the detail, could someone please review my patch. > As the maintainer of the Python-Markdown library, I'll weigh in here. > > I'll start by noting that safe-mode was a poorly chosen name for the > feature (which was added before I joined the project). Really, it is a > means of restricting raw html and IMO, should only always "escape" raw > html. However, because of the word "safe" in the name, the feature has > grown to support other so-called "safety" features to avoid XSS (for > example injecting malicious JavaScript into a markdown style link) > etc. That said, I can make no claims that it is actually "safe". > > The "replace" option is supported for backward compatibility reasons > (also why it is still the default) and "remove" is really just a > shortcut for "replace" with the "html_replacement_text" set to a blank > string. Not sure why anyone would want either of those options. Remove > is too surprising to the document author and replace is a lousy (IMO) > attempt at an explanation. While escape might not be expected by the > author, once noticed, it not nearly as surprising. > > If someone wants "safe" output from Markdown, I recommend using a > library specific to that purpose like bleach [1]. In fact, it would > make more sense to me to create a separate "clean" filter (perhaps > called "clean_html"?) which calls `bleach.clean()` and provide it as a > filter that can be used with any of the markup languages offered by > Django. > > If instead, improvements are only going to be made to the markdown > filter, then I would suggest a complete overhaul allowing access to > all of markdown's features [2]. For example, markdown outputs xhtml by > default. Some may want html - which the markdown lib supports - but > the Django filter does not. > > To me, the markdown filter in its current state is completely useless. > I have always had to re-implement my own, more powerful solution. > > My recommendation is to do one of the following (in order of preference): > > 1) Remove contrib.markup (per Django's depreciation policy) and leave > it to third party apps to support. > 2) Completely refactor the markdown filter to support all of the > markdown library's features except for "safe_mode" and add a new > "clean" filter which can wrap any markup filter. > 3) Add a new "clean" filter and simply drop support for Markdown's > safe_mode - leaving the rest as is. > > I do not recommend the approach of the current patch. It leaves a bad > taste in my mouth. Also note that I do not recommend supporting > Markdown's "safe_mode" in any form. Of course, the Django team will > need to make whatever decision will better serve the community - not > me. > > [1]: https://github.com/jsocol/bleach > [2]: http://packages.python.org/Markdown/reference.html#markdown > > -- > ---- > \X/ /-\ `/ |_ /-\ |\| > Waylan Limberg > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com > (mailto:django-developers@googlegroups.com). > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com > (mailto:django-developers+unsubscr...@googlegroups.com). > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.