[typo] Markup pluings with raw HTML disabled into base?

Scott Laird scott at sigkill.org
Mon Aug 7 11:45:19 EDT 2006

We always filter the raw HTML in comments, no matter which filter is
used.  Look at body_html_postprocess in app/models/comment.rb.


On 8/7/06, Petri Wessman <orava at iki.fi> wrote:
> Hi, I just started playing around with Typo, very nice (and it being
> built on Rails is another layer of coolness :). Where the PHP of
> Wordpress gave me an "aaagh!" reaction, here it's actually fun to look
> under the hood and tinker :).
> Anyway, I noticed that the default setup doesn't include a text filter
> that filters out raw HTML. It seems to me that allowing default Markdown
> (for example) in blog comments would be pretty dangerous, there are a
> lot of nasty things you can inject with that, especially Javascript ones.
> So I added a version of the Markdown plugin for my own blog, with raw
> HTML filtered out, using:
> BlueCloth.new(text.gsub(%r{</?notextile>}, ''), :filter_html,
> :filter_styles).to_html
> in the relevant portion. Works and makes me feel a bit safer, at least.
> I was just wondering if it would make sense to add "no raw HTML"
> versions of the text filters to the default Typo package? Not everyone
> wants to or can hack Ruby code, and I'm a bit worried that lots of
> people will just enable normal markdown/textile markup for their
> comments and as a side effect be vulnerable to various sorts of attacks
> and annoyances.
> //Petri
> _______________________________________________
> Typo-list mailing list
> Typo-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/typo-list

More information about the Typo-list mailing list