i am looking at some ways to improve the comment system and provide
greater flexibility in how comment content is handled when it's
submitted, particularly in the realm of html vs. non-html comment
posting. xss is becoming so common now that allowing anonymous users to
post html comments is pretty dangerous and so I am trying to find some
better ways to allow for comment formatting to take place on non-html
comments.
after looking through what we have right now i think we need to fix a
couple issues. the main problem is with the current autoformat and
escape html comment settings.
1. these settings are global settings and apply to all comments on all
blogs, however they are not tracked on a per comment basis and this
makes it nearly impossible to change these settings without messing up
old comments. for example, if you start your site by allowing html in
comments, then disable html and enable autoformatting then it's going to
apply that to all your old comments which don't need it and make things
look pretty ugly :/ same situation applies in reverse as well. if you
start by using autoformatting and then disable it then all your old
comments are going to show up unformatted.
2. these settings are applied in velocity templates and macros and are
not enforced in any way, so it would be easy for a savvy user to
circumvent these settings if they really wanted too. it is more
appropriate if we apply any plugins or transformations inside the code
so that we aren't relying on logic in macros/templates.
So I think we need to fix these things first, then I'd like to add a
more flexible way of applying custom formatting options to comments. #2
is very easy to fix since we can just put that logic in the comment
wrapper class. fixing #1 is more tricky.
For #1 I would like to introduce the concept of pluggable
CommentFormatter classes. Basically, these would work exactly like
CommentValidators except that instead of just checking the comment for
some kind of illegal content they would actual be performing
transformations on the content, much like our weblog entry plugins do
now. So site admins would be able to define what comment formatters are
available to the application and enable/disable them globally to make
them apply to comments. We would track what formatters to apply to a
given comment by adding a new column in the db for 'formatters' and
listing which formatters to apply to each comment.
We would start by defining formatters to replace our current settings
for autoformatting and escaping html and via a simple upgrade we can set
these formatters to all existing comments if those settings are enabled.
Then moving forward it's very easy to add formatters to the application
and enable/disable them whenever the admin wants. Since the formatters
are tracked with the comments it is possible to disable a formatter from
being used on new comments but have it still available to apply to old
comments. This also provides a very simple way for site admins to
create custom formatters to suit whatever their needs may be, for
example you could do a wiki syntax comment formatter if you wanted.
Thoughts?
-- Allen
- comment formatting and escaping is a bit kludgy Allen Gilliland
-
