Hi all,
https://code.djangoproject.com/ticket/18054
I just came across this, and it seems slightly hasty. Most deprecations
of entire contrib modules would require some discussion on django-devs,
I would have thought.
The filters provided by this module are probably widely used, and I
think slightly better documentation of a migration route would be nice,
and some more explanation in the release notes. The nature of template
tags/filters like this is that they are necessarily glue code between
some functions and the Django template library, so it didn't seem that
inappropriate to me to have a contrib.markup module, any more than any
of the other contrib modules, even though they are relatively small
functions.
Also, hundreds of developers implementing their own solutions doesn't
seem sensible. That's especially true as it is easy to get those
functions wrong. I think the current state leaves people more likely to
be vulnerable, because many people will botch together an insecure
solution - and encouraging people to use the markup libraries directly,
as the release notes do, will make that worse.
For example, for restructured text, you need at least these settings to
be safe in a typical HTML/web app situation:
{ 'raw_enabled': False,
'file_insertion_enabled': False
}
(This is implied by the current Django docs, but it really ought to be
enforced by the code)
To add further confusion, there are projects like django-rstify out
there, which has the same vulnerabilities, and also seems to be a bit
dead at the moment (github repo has disappeared).
I'm happy to work on this to provide an external solution for
restructured text, but don't want to compete with django-rstify if I can
avoid it.
I will invite Martin Mahner, the author of django-rstify to participate
in this thread. I think we should have recommendations for alternatives
for rendering markdown as well.
Regards,
Luke
--
"Christ Jesus came in to the world to save sinners" (1 Timothy 1:15)
Luke Plant ||
http://lukeplant.me.uk/