On 6/20/06, Jeremy Dunck <[EMAIL PROTECTED]> wrote:
> On the open web, you should never ever display text supplied by
> regular users as HTML. Doing so allows them to wreck the page at best
> and create security problems or denial of service at worst.
>
> That said, if you trust your users you might like to look at Beautiful
> Soup for parsing and Universal Feed Parser for sanitization
> inspiration:
>
Well, as it stands right now, I only need this to make sure that text
entered into the Admin is ok, and that's all by trusted users, so
Beautiful Soup might do it.
But what about the comments framework? I guess people are just
restricting their comment fields such that only things supported by
contrib.markdown are allowed? Maybe something like:
{{comment|striptags|markdown}}
How do sites like Fark.com that allow HTML do it? I guess they've just
written their own sanitizers.
Thanks,
Jay P.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
