To protect against injection, you *do* want to want to use the safe
argument.
If you don't use the safe parameter, then the markdown filter will not
escape any html in the input.
http://freewisdom.org/projects/python-markdown/Django
If you're not convinced, try including the following {{ text|markdown }}
with and without the safe parameter!
text = """
<script>alert(boo!);</script>
**This is bold**
"""
Regards,
Alasdair
On 07/10/11 15:04, arkai...@gmail.com wrote:
Hi,
I am aware that Markdown is a formatting language like textile or any
other.
It is just that i've seen other projects using {{var|markdown:"safe"}}
to protect against injected html and I don't know if that is the same,
better or worse that just {{var}} without disabling autoescape.
Thanks
--
Arkaitz
On Fri, Oct 7, 2011 at 2:50 PM, Tom Evans <tevans...@googlemail.com
<mailto:tevans...@googlemail.com>> wrote:
On Fri, Oct 7, 2011 at 9:00 AM, arkai...@gmail.com
<mailto:arkai...@gmail.com> <arkai...@gmail.com
<mailto:arkai...@gmail.com>> wrote:
> Hi all,
> I'm working on a comments addon for my app and I'm checking the
alternatives
> for urlizing and securing what users write in comments.
> I thought that just using Djangos default autoescape( not doing
anything)
> plus the |urlize filter like " {{comment|urlize}}" would be
enough, but I've
> seen examples in the web using "{{comment|markdown:'safe'}}" so
I was
> wondering if autoescape is not enough or people are using
"markdown:'safe'"
> for other reasons?
>
> Should I be concerned if I don't use markdown:"safe" ?
>
> Thanks
Markdown is a formatting language. People using that syntax enter
their comments in markdown, and use that to turn them into HTML.
Cheers
Tom
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
<mailto:django-users%2bunsubscr...@googlegroups.com>.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
--
Alasdair Nicol
Developer, MEMSET
mail: alasd...@memset.com
web: http://www.memset.com/
Memset Ltd., registration number 4504980. 25 Frederick Sanger Road, Guildford,
Surrey, GU2 7YD, UK.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
