Markup pluings with raw HTML disabled into base?

Hi, I just started playing around with Typo, very nice (and it being
built on Rails is another layer of coolness :). Where the PHP of
Wordpress gave me an “aaagh!” reaction, here it’s actually fun to look
under the hood and tinker :).

Anyway, I noticed that the default setup doesn’t include a text filter
that filters out raw HTML. It seems to me that allowing default Markdown
(for example) in blog comments would be pretty dangerous, there are a
lot of nasty things you can inject with that, especially Javascript
ones.

So I added a version of the Markdown plugin for my own blog, with raw
HTML filtered out, using:

BlueCloth.new(text.gsub(%r{</?notextile>}, ‘’), :filter_html,
:filter_styles).to_html

in the relevant portion. Works and makes me feel a bit safer, at least.

I was just wondering if it would make sense to add “no raw HTML”
versions of the text filters to the default Typo package? Not everyone
wants to or can hack Ruby code, and I’m a bit worried that lots of
people will just enable normal markdown/textile markup for their
comments and as a side effect be vulnerable to various sorts of attacks
and annoyances.

//Petri

Scott L. wrote:

We always filter the raw HTML in comments, no matter which filter is
used. Look at body_html_postprocess in app/models/comment.rb.
Scott

Ah, silly me for not checking that out – should have guessed that was
taken care of. Never mind then. :slight_smile:

//Petri

We always filter the raw HTML in comments, no matter which filter is
used. Look at body_html_postprocess in app/models/comment.rb.

Scott

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs