To protect against injection, you *do* want to want to use the safe
argument.
If you don't use the safe parameter, then the markdown filter will not
escape any html in the input.
http://freewisdom.org/projects/python-markdown/Django
If you're not convinced, try including the following {{ tex
On Fri, Oct 7, 2011 at 3:04 PM, arkai...@gmail.com wrote:
> Hi,
> I am aware that Markdown is a formatting language like textile or any other.
> It is just that i've seen other projects using {{var|markdown:"safe"}} to
> protect against injected html and I don't know if that is the same, better
>
Hi,
I am aware that Markdown is a formatting language like textile or any other.
It is just that i've seen other projects using {{var|markdown:"safe"}} to
protect against injected html and I don't know if that is the same, better
or worse that just {{var}} without disabling autoescape.
Thanks
--
On Fri, Oct 7, 2011 at 9:00 AM, arkai...@gmail.com wrote:
> Hi all,
> I'm working on a comments addon for my app and I'm checking the alternatives
> for urlizing and securing what users write in comments.
> I thought that just using Djangos default autoescape( not doing anything)
> plus the |urliz
Hi all,
I'm working on a comments addon for my app and I'm checking the alternatives
for urlizing and securing what users write in comments.
I thought that just using Djangos default autoescape( not doing anything)
plus the |urlize filter like " {{comment|urlize}}" would be enough, but I've
seen ex
5 matches
Mail list logo
