Blog and inlines broken?
22 views
Skip to first unread message
dalore
Aug 13, 2009, 12:38:10 PM8/13/09
to Django Basic Apps
I've been messing around with the blog and trying to get inlines
working but I think it's fundamentally broken.
In the post_detail.html template file it has the following line to
render the post:
{{ post.body|render_inlines|markdown:"safe" }}
Now the problem with this is because render_inlines will output html
which is then removed by markdown:"safe". The "safe" option means to
remove html.
So how is this ever meant to work in the first place?
If you change the order to what it was originally in the source
(judging from the source control history):
{{ post.body|markdown|render_inlines }}
That works, but the problem with that is that you kind of want the
"safe" in there. Otherwise the users can post arbitrary html (which is
a security risk, for instance, a blog user could create an post with a
link to an image which is actually an admin command to do whatever, so
when an admin who is logged in views the blog post, the command is
run).
I think the solution would be to have it like:
{{ post.body|markdown:"safe"|render_inlines }}
And then also change the syntax of <inlines> to not look like a html
tag, so it's not stripped by markdown.
working but I think it's fundamentally broken.
In the post_detail.html template file it has the following line to
render the post:
{{ post.body|render_inlines|markdown:"safe" }}
Now the problem with this is because render_inlines will output html
which is then removed by markdown:"safe". The "safe" option means to
remove html.
So how is this ever meant to work in the first place?
If you change the order to what it was originally in the source
(judging from the source control history):
{{ post.body|markdown|render_inlines }}
That works, but the problem with that is that you kind of want the
"safe" in there. Otherwise the users can post arbitrary html (which is
a security risk, for instance, a blog user could create an post with a
link to an image which is actually an admin command to do whatever, so
when an admin who is logged in views the blog post, the command is
run).
I think the solution would be to have it like:
{{ post.body|markdown:"safe"|render_inlines }}
And then also change the syntax of <inlines> to not look like a html
tag, so it's not stripped by markdown.
Reply all
Reply to author
Forward
0 new messages