Re: Improve Django markdown rendering.

[ptone]

On Thursday, September 6, 2012 10:48:30 PM UTC-4, waylan wrote:
>
> If instead, improvements are only going to be made to the markdown 
> filter, then I would suggest a complete overhaul allowing access to 
> all of markdown's features [2].
>

In fact the plan is to deprecate the markup contrib module entirely

https://code.djangoproject.com/ticket/18054 

finishing and getting landed the patch is on my todo list for the sprints 
at Djangocon.

The overhaul you suggest is a great opportunity for someone to offer an 
improved replacement version available outside of Django.

-Preston

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-developers/-/7kMd5U9gv6UJ.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Improve Django markdown rendering.

[Donald Stufft]

https://bitbucket.org/ionata/django-bleach 


On Thursday, September 6, 2012 at 10:48 PM, Waylan Limberg wrote:

> On Thu, Sep 6, 2012 at 8:22 PM, Thomas Purchas  (mailto:tpurc...@gmail.com)> wrote:
> > I have submitted a path to improve the way Django handles html in markdown.
> > Specifically how it escapes it.
> > 
> > Ticket 6526 has all of the detail, could someone please review my patch.
> As the maintainer of the Python-Markdown library, I'll weigh in here.
> 
> I'll start by noting that safe-mode was a poorly chosen name for the
> feature (which was added before I joined the project). Really, it is a
> means of restricting raw html and IMO, should only always "escape" raw
> html. However, because of the word "safe" in the name, the feature has
> grown to support other so-called "safety" features to avoid XSS (for
> example injecting malicious JavaScript into a markdown style link)
> etc. That said, I can make no claims that it is actually "safe".
> 
> The "replace" option is supported for backward compatibility reasons
> (also why it is still the default) and "remove" is really just a
> shortcut for "replace" with the "html_replacement_text" set to a blank
> string. Not sure why anyone would want either of those options. Remove
> is too surprising to the document author and replace is a lousy (IMO)
> attempt at an explanation. While escape might not be expected by the
> author, once noticed, it not nearly as surprising.
> 
> If someone wants "safe" output from Markdown, I recommend using a
> library specific to that purpose like bleach [1]. In fact, it would
> make more sense to me to create a separate "clean" filter (perhaps
> called "clean_html"?) which calls `bleach.clean()` and provide it as a
> filter that can be used with any of the markup languages offered by
> Django.
> 
> If instead, improvements are only going to be made to the markdown
> filter, then I would suggest a complete overhaul allowing access to
> all of markdown's features [2]. For example, markdown outputs xhtml by
> default. Some may want html - which the markdown lib supports - but
> the Django filter does not.
> 
> To me, the markdown filter in its current state is completely useless.
> I have always had to re-implement my own, more powerful solution.
> 
> My recommendation is to do one of the following (in order of preference):
> 
> 1) Remove contrib.markup (per Django's depreciation policy) and leave
> it to third party apps to support.
> 2) Completely refactor the markdown filter to support all of the
> markdown library's features except for "safe_mode" and add a new
> "clean" filter which can wrap any markup filter.
> 3) Add a new "clean" filter and simply drop support for Markdown's
> safe_mode - leaving the rest as is.
> 
> I do not recommend the approach of the current patch. It leaves a bad
> taste in my mouth. Also note that I do not recommend supporting
> Markdown's "safe_mode" in any form. Of course, the Django team will
> need to make whatever decision will better serve the community - not
> me.
> 
> [1]: https://github.com/jsocol/bleach
> [2]: http://packages.python.org/Markdown/reference.html#markdown
> 
> -- 
> 
> \X/ /-\ `/ |_ /-\ |\|
> Waylan Limberg
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com 
> (mailto:django-developers@googlegroups.com).
> To unsubscribe from this group, send email to 
> django-developers+unsubscr...@googlegroups.com 
> (mailto:django-developers+unsubscr...@googlegroups.com).
> For more options, visit this group at 
> http://groups.google.com/group/django-developers?hl=en.
> 
> 


-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Improve Django markdown rendering.

[Thomas Purchas]

I have submitted a path to improve the way Django handles html in 
markdown. Specifically how it escapes it.

Ticket 6526  has all of the 
detail, could someone please review my patch.

Thanks in advance. 

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-developers/-/pVIPk8QvRusJ.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.