We always filter the raw HTML in comments, no matter which filter is
used. Look at body_html_postprocess in app/models/comment.rb.
Scott
On 8/7/06, Petri Wessman <[EMAIL PROTECTED]> wrote:
> Hi, I just started playing around with Typo, very nice (and it being
> built on Rails is another layer of coolness :). Where the PHP of
> Wordpress gave me an "aaagh!" reaction, here it's actually fun to look
> under the hood and tinker :).
>
> Anyway, I noticed that the default setup doesn't include a text filter
> that filters out raw HTML. It seems to me that allowing default Markdown
> (for example) in blog comments would be pretty dangerous, there are a
> lot of nasty things you can inject with that, especially Javascript ones.
>
> So I added a version of the Markdown plugin for my own blog, with raw
> HTML filtered out, using:
>
> BlueCloth.new(text.gsub(%r{</?notextile>}, ''), :filter_html,
> :filter_styles).to_html
>
> in the relevant portion. Works and makes me feel a bit safer, at least.
>
> I was just wondering if it would make sense to add "no raw HTML"
> versions of the text filters to the default Typo package? Not everyone
> wants to or can hack Ruby code, and I'm a bit worried that lots of
> people will just enable normal markdown/textile markup for their
> comments and as a side effect be vulnerable to various sorts of attacks
> and annoyances.
>
> //Petri
>
> _______________________________________________
> Typo-list mailing list
> [email protected]
> http://rubyforge.org/mailman/listinfo/typo-list
>
_______________________________________________
Typo-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/typo-list
