HTML in comments - Githubissues

djstevenson / songs-to-the-siren

A blog about songs

MIT License

0 stars 0 forks source link

HTML in comments #226

Closed djstevenson closed 4 years ago

djstevenson commented 4 years ago

The markdown renderer allows HTML which is passed-through as-is. This is fine for admin-edited content, but not for user comments.

Options:

Only allow plain text comments
Support BBCode rather than Markdown
Support Markdown but do HTML escaping.

djstevenson commented 4 years ago

This MUST be fixed before we deploy!

djstevenson commented 4 years ago

Merging in ticket #228 which is about refactoring NeverTire::View::Comment::Render - closing that ticket as a dupe

djstevenson commented 4 years ago

Forthcoming PR puts comment rendering into Mojo templates, it's only a couple of percent slower - yet it's way-neater code, and is also safer.

djstevenson commented 4 years ago

Re-open, PR #229 moved the rendering into templates, but the comments themselves are still rendered by the Markdown processor, which is allowing HTML.

Markdown is ok for admin-edited content (song descriptions etc).
For end-user content, use BBEdit, take code from my old forum. This will need BBEdit preview endpoint for previews, if we give punters previews (let's not, for the first iteration)
Add tests for HTML