As a Clojure geek, I have loved using this library when I'm in python, but I've realized I can't do that for anything that might take arbitrary input from the web, as I could open the app up to an html injection attack. Therefore, I think it would be prudent that the default behavior of cottonmouth.html.render et al would be to santize html with something existing python lib (perhaps? https://github.com/mozilla/bleach). It will be important in this to have some way of supporting inlining html strings, marking them as safe, or having a separate "safe" function call (or should it be called danger?). So that's something to think out. But again, I think this is a rather important issue if you want folks to use this library for anything serious/general.
As a Clojure geek, I have loved using this library when I'm in python, but I've realized I can't do that for anything that might take arbitrary input from the web, as I could open the app up to an html injection attack. Therefore, I think it would be prudent that the default behavior of
cottonmouth.html.renderet al would be to santize html with something existing python lib (perhaps? https://github.com/mozilla/bleach). It will be important in this to have some way of supporting inlining html strings, marking them as safe, or having a separate "safe" function call (or should it be called danger?). So that's something to think out. But again, I think this is a rather important issue if you want folks to use this library for anything serious/general.