Hi, I just started playing around with Typo, very nice (and it being
built on Rails is another layer of coolness :). Where the PHP of
Wordpress gave me an “aaagh!” reaction, here it’s actually fun to look
under the hood and tinker :).
Anyway, I noticed that the default setup doesn’t include a text filter
that filters out raw HTML. It seems to me that allowing default Markdown
(for example) in blog comments would be pretty dangerous, there are a
lot of nasty things you can inject with that, especially Javascript
ones.
So I added a version of the Markdown plugin for my own blog, with raw
HTML filtered out, using:
BlueCloth.new(text.gsub(%r{</?notextile>}, ‘’), :filter_html,
:filter_styles).to_html
in the relevant portion. Works and makes me feel a bit safer, at least.
I was just wondering if it would make sense to add “no raw HTML”
versions of the text filters to the default Typo package? Not everyone
wants to or can hack Ruby code, and I’m a bit worried that lots of
people will just enable normal markdown/textile markup for their
comments and as a side effect be vulnerable to various sorts of attacks
and annoyances.
//Petri
