Re: Improve Django markdown rendering.
228 views
Skip to first unread message
Waylan Limberg
Sep 6, 2012, 10:48:03 PM9/6/12
to django-d...@googlegroups.com
On Thu, Sep 6, 2012 at 8:22 PM, Thomas Purchas <tpur...@gmail.com> wrote:
> I have submitted a path to improve the way Django handles html in markdown.
> Specifically how it escapes it.
>
> Ticket 6526 has all of the detail, could someone please review my patch.
>
As the maintainer of the Python-Markdown library, I'll weigh in here.
I'll start by noting that safe-mode was a poorly chosen name for the
feature (which was added before I joined the project). Really, it is a
means of restricting raw html and IMO, should only always "escape" raw
html. However, because of the word "safe" in the name, the feature has
grown to support other so-called "safety" features to avoid XSS (for
example injecting malicious JavaScript into a markdown style link)
etc. That said, I can make no claims that it is actually "safe".
The "replace" option is supported for backward compatibility reasons
(also why it is still the default) and "remove" is really just a
shortcut for "replace" with the "html_replacement_text" set to a blank
string. Not sure why anyone would want either of those options. Remove
is too surprising to the document author and replace is a lousy (IMO)
attempt at an explanation. While escape might not be expected by the
author, once noticed, it not nearly as surprising.
If someone wants "safe" output from Markdown, I recommend using a
library specific to that purpose like bleach [1]. In fact, it would
make more sense to me to create a separate "clean" filter (perhaps
called "clean_html"?) which calls `bleach.clean()` and provide it as a
filter that can be used with any of the markup languages offered by
Django.
If instead, improvements are only going to be made to the markdown
filter, then I would suggest a complete overhaul allowing access to
all of markdown's features [2]. For example, markdown outputs xhtml by
default. Some may want html - which the markdown lib supports - but
the Django filter does not.
To me, the markdown filter in its current state is completely useless.
I have always had to re-implement my own, more powerful solution.
My recommendation is to do one of the following (in order of preference):
1) Remove contrib.markup (per Django's depreciation policy) and leave
it to third party apps to support.
2) Completely refactor the markdown filter to support all of the
markdown library's features except for "safe_mode" and add a new
"clean" filter which can wrap any markup filter.
3) Add a new "clean" filter and simply drop support for Markdown's
safe_mode - leaving the rest as is.
I do not recommend the approach of the current patch. It leaves a bad
taste in my mouth. Also note that I do not recommend supporting
Markdown's "safe_mode" in any form. Of course, the Django team will
need to make whatever decision will better serve the community - not
me.
[1]: https://github.com/jsocol/bleach
[2]: http://packages.python.org/Markdown/reference.html#markdown
--
----
\X/ /-\ `/ |_ /-\ |\|
Waylan Limberg
> I have submitted a path to improve the way Django handles html in markdown.
> Specifically how it escapes it.
>
> Ticket 6526 has all of the detail, could someone please review my patch.
>
As the maintainer of the Python-Markdown library, I'll weigh in here.
I'll start by noting that safe-mode was a poorly chosen name for the
feature (which was added before I joined the project). Really, it is a
means of restricting raw html and IMO, should only always "escape" raw
html. However, because of the word "safe" in the name, the feature has
grown to support other so-called "safety" features to avoid XSS (for
example injecting malicious JavaScript into a markdown style link)
etc. That said, I can make no claims that it is actually "safe".
The "replace" option is supported for backward compatibility reasons
(also why it is still the default) and "remove" is really just a
shortcut for "replace" with the "html_replacement_text" set to a blank
string. Not sure why anyone would want either of those options. Remove
is too surprising to the document author and replace is a lousy (IMO)
attempt at an explanation. While escape might not be expected by the
author, once noticed, it not nearly as surprising.
If someone wants "safe" output from Markdown, I recommend using a
library specific to that purpose like bleach [1]. In fact, it would
make more sense to me to create a separate "clean" filter (perhaps
called "clean_html"?) which calls `bleach.clean()` and provide it as a
filter that can be used with any of the markup languages offered by
Django.
If instead, improvements are only going to be made to the markdown
filter, then I would suggest a complete overhaul allowing access to
all of markdown's features [2]. For example, markdown outputs xhtml by
default. Some may want html - which the markdown lib supports - but
the Django filter does not.
To me, the markdown filter in its current state is completely useless.
I have always had to re-implement my own, more powerful solution.
My recommendation is to do one of the following (in order of preference):
1) Remove contrib.markup (per Django's depreciation policy) and leave
it to third party apps to support.
2) Completely refactor the markdown filter to support all of the
markdown library's features except for "safe_mode" and add a new
"clean" filter which can wrap any markup filter.
3) Add a new "clean" filter and simply drop support for Markdown's
safe_mode - leaving the rest as is.
I do not recommend the approach of the current patch. It leaves a bad
taste in my mouth. Also note that I do not recommend supporting
Markdown's "safe_mode" in any form. Of course, the Django team will
need to make whatever decision will better serve the community - not
me.
[1]: https://github.com/jsocol/bleach
[2]: http://packages.python.org/Markdown/reference.html#markdown
--
----
\X/ /-\ `/ |_ /-\ |\|
Waylan Limberg
Donald Stufft
Sep 6, 2012, 10:51:39 PM9/6/12
to django-d...@googlegroups.com
--You received this message because you are subscribed to the Google Groups "Django developers" group.To post to this group, send email to django-d...@googlegroups.com.To unsubscribe from this group, send email to django-develop...@googlegroups.com.For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
ptone
Sep 6, 2012, 11:08:19 PM9/6/12
to django-d...@googlegroups.com
On Thursday, September 6, 2012 10:48:30 PM UTC-4, waylan wrote:
If instead, improvements are only going to be made to the markdown
filter, then I would suggest a complete overhaul allowing access to
all of markdown's features [2].
In fact the plan is to deprecate the markup contrib module entirely
finishing and getting landed the patch is on my todo list for the sprints at Djangocon.
The overhaul you suggest is a great opportunity for someone to offer an improved replacement version available outside of Django.
-Preston
Reply all
Reply to author
Forward
0 new messages