[typo] Markup pluings with raw HTML disabled into base?

Petri Wessman orava at iki.fi
Mon Aug 7 10:05:21 EDT 2006


Hi, I just started playing around with Typo, very nice (and it being 
built on Rails is another layer of coolness :). Where the PHP of 
Wordpress gave me an "aaagh!" reaction, here it's actually fun to look 
under the hood and tinker :).

Anyway, I noticed that the default setup doesn't include a text filter 
that filters out raw HTML. It seems to me that allowing default Markdown 
(for example) in blog comments would be pretty dangerous, there are a 
lot of nasty things you can inject with that, especially Javascript ones.

So I added a version of the Markdown plugin for my own blog, with raw 
HTML filtered out, using:

BlueCloth.new(text.gsub(%r{</?notextile>}, ''), :filter_html, 
:filter_styles).to_html

in the relevant portion. Works and makes me feel a bit safer, at least.

I was just wondering if it would make sense to add "no raw HTML" 
versions of the text filters to the default Typo package? Not everyone 
wants to or can hack Ruby code, and I'm a bit worried that lots of 
people will just enable normal markdown/textile markup for their 
comments and as a side effect be vulnerable to various sorts of attacks 
and annoyances.

//Petri



More information about the Typo-list mailing list