search

thoughtbot / carnival

An unobtrusive, developer-friendly way to add comments
MIT License
501 stars 30 forks source link

HTML is unescaped #266

Closed calebhearth closed 9 years ago

calebhearth commented 9 years ago

jferris commented 9 years ago

The comments are markdown, and a subset of HTML is allowed. This is normal in markdown parsers; for example, GitHub comments allow some HTML, and putting unescaped <li> tags in a GitHub comment gets you a list item.

You can see more details on the whitelist being used here: https://github.com/yesodweb/haskell-xss-sanitize

It's possible that markdown isn't the best format for our comments, but it seemed good to start with.

calebhearth commented 9 years ago

The comments are markdown, and a subset of HTML is allowed. This is normal in markdown parsers; for example, GitHub comments allow some HTML, and putting unescaped

  • tags in a GitHub comment gets you a list item.

    • Yup, seems right.

    It's possible that markdown isn't the best format for our comments, but it seemed good to start with.

    I'd have to see more use cases, but I don't think there's much value in markdown. Maybe a super-subset of markdown that allows for _ => <em>, * => <strong>, and autolinks (which we don't have). Just a thought.