I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is there a test string I can put through my system to check for the same flaws that took down reddit?
相关问题
- how to define constructor for Python's new Nam
- streaming md5sum of contents of a large remote tar
- How to get the background from multiple images by
- Evil ctypes hack in python
- Correctly parse PDF paragraphs with Python
reddit uses the discount markdown library now.
Python-Markdown - the 'standard' one more or less - has a 'safe mode' feature that escapes html tags. That should be enough to counter most all HTML injection attacks.
The other answers mention Python-Markdown's safe mode but that is now deprecated. The authors of Python-Markdown have been quoted saying:
They now recommend using an HTML sanitizer like Bleach to sanitize the Markdown output. mdx_bleach is a Python-Markdown extension that does just that. Disclaimer: I'm the author of this extension.
Because it uses html5lib to parse document fragments the same way browsers do, Bleach is extremely resilient to unknown attacks, much more so than regular-expression-based sanitizers.