Menu
▾
▴
Re: [Python-markdown-discuss] Bug or Feature in link handling
|
From: Waylan L. <wa...@gm...> - 2008-07-17 22:26:11
|
First of all, the parentheses in links issue is a known bug with an existing ticket[1]. A patch is most welcome. That said, Yuri pointed out a few ways to work around that limitation. [1]: http://www.freewisdom.org/projects/python-markdown/Tickets/000004 On Thu, Jul 17, 2008 at 5:45 PM, Yuri Takhteyev <qar...@gm...> wrote: > > Now, given that we already have a "safe" option that filters out > user's HTML, I would be open to also stripping out (in "safe" mode) > any links that do not start with one of a small number of prefixes > known to be (relatively) safe (e.g., "/", "#", "http://", "https://", > "mailto://"). However, this would only make sense in "safe" mode, > when user-supplied HTML is already being removed. > Something quite similar to this was checked in [2] a few months back. I considered doing exactly as you suggested, but it seemed a little too restrictive so I used pythons url parser to leave a little more flexibility. In any event, it is only available in safe_mode. See the docstring in the patch for an explanation. I'm not completely convinced it covers every possibility. Actually as http://ha.ckers.org/xss.html points out, there very well may be as yet undiscovered possibilities that we don't know to check for. In any event, for anyone that cares about this issue, that is an interesting read. If anyone has any improvements and/or suggestions, I'm open. [2]: http://gitorious.org/projects/python-markdown/repos/mainline/commits/2db5d1c8e469d2943a6a851bc0ff3ede070e448b -- ---- Waylan Limberg wa...@gm... |
