https://bitbucket.org/ionata/django-bleach 


On Thursday, September 6, 2012 at 10:48 PM, Waylan Limberg wrote:

> On Thu, Sep 6, 2012 at 8:22 PM, Thomas Purchas <tpurc...@gmail.com 
> (mailto:tpurc...@gmail.com)> wrote:
> > I have submitted a path to improve the way Django handles html in markdown.
> > Specifically how it escapes it.
> > 
> > Ticket 6526 has all of the detail, could someone please review my patch.
> As the maintainer of the Python-Markdown library, I'll weigh in here.
> 
> I'll start by noting that safe-mode was a poorly chosen name for the
> feature (which was added before I joined the project). Really, it is a
> means of restricting raw html and IMO, should only always "escape" raw
> html. However, because of the word "safe" in the name, the feature has
> grown to support other so-called "safety" features to avoid XSS (for
> example injecting malicious JavaScript into a markdown style link)
> etc. That said, I can make no claims that it is actually "safe".
> 
> The "replace" option is supported for backward compatibility reasons
> (also why it is still the default) and "remove" is really just a
> shortcut for "replace" with the "html_replacement_text" set to a blank
> string. Not sure why anyone would want either of those options. Remove
> is too surprising to the document author and replace is a lousy (IMO)
> attempt at an explanation. While escape might not be expected by the
> author, once noticed, it not nearly as surprising.
> 
> If someone wants "safe" output from Markdown, I recommend using a
> library specific to that purpose like bleach [1]. In fact, it would
> make more sense to me to create a separate "clean" filter (perhaps
> called "clean_html"?) which calls `bleach.clean()` and provide it as a
> filter that can be used with any of the markup languages offered by
> Django.
> 
> If instead, improvements are only going to be made to the markdown
> filter, then I would suggest a complete overhaul allowing access to
> all of markdown's features [2]. For example, markdown outputs xhtml by
> default. Some may want html - which the markdown lib supports - but
> the Django filter does not.
> 
> To me, the markdown filter in its current state is completely useless.
> I have always had to re-implement my own, more powerful solution.
> 
> My recommendation is to do one of the following (in order of preference):
> 
> 1) Remove contrib.markup (per Django's depreciation policy) and leave
> it to third party apps to support.
> 2) Completely refactor the markdown filter to support all of the
> markdown library's features except for "safe_mode" and add a new
> "clean" filter which can wrap any markup filter.
> 3) Add a new "clean" filter and simply drop support for Markdown's
> safe_mode - leaving the rest as is.
> 
> I do not recommend the approach of the current patch. It leaves a bad
> taste in my mouth. Also note that I do not recommend supporting
> Markdown's "safe_mode" in any form. Of course, the Django team will
> need to make whatever decision will better serve the community - not
> me.
> 
> [1]: https://github.com/jsocol/bleach
> [2]: http://packages.python.org/Markdown/reference.html#markdown
> 
> -- 
> ----
> \X/ /-\ `/ |_ /-\ |\|
> Waylan Limberg
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com 
> (mailto:django-developers@googlegroups.com).
> To unsubscribe from this group, send email to 
> django-developers+unsubscr...@googlegroups.com 
> (mailto:django-developers+unsubscr...@googlegroups.com).
> For more options, visit this group at 
> http://groups.google.com/group/django-developers?hl=en.
> 
> 


-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Reply via email to