Server side Markdown sanitization and rendering

[cpritcha]

Options

• Use django-markupfield and bleach
• Subclass TextField and use bleach

[cpritcha]

Client side we could use Vue Medium Editor to edit the text and keep the text as html server-side instead of markdown.

[alee]

I'd rather keep markdown server-side, sanitized on the way out.

1. Markdown is simpler to read and edit than HTML and I'd like to preserve the ability for users to quickly and easily edit the "source" format Markdown without having been transformed into HTML and then back again
2. Storing generated html feels dirty, especially given how awful wysiwygs have been traditionally at generating html
3. There's security risks in Markdown as well (embedded links to malicious sites / files) but I'd argue those are more easily parsed and mitigated. See https://security.stackexchange.com/questions/14664/how-do-i-use-markdown-securely
4. We can easily cache the rendered content in redis or the db ala https://stackoverflow.com/questions/10456910/should-i-convert-stored-markdown-to-html-or-should-i-just-store-html

[cpritcha]

Based on our conversation I'll make custom markdown field in django. Before saving the data in the database and retrieving data from the database some preprocessing will occur.

1. convert markdown to html (with markdown package)
2. sanitize html (with bleach)
3. convert html to markdown using html2text

We can always cache the html results.