All times shown according to UTC.

Time Nick Message
17:37 benjaoming branko: that's cool, but PHP?? :P
18:32 branko benjaoming: Yeah, I know... There's a reason I rewrote the permission check logic code :)
18:33 benjaoming: Ok, so I could test the pull branch for the fix you made, right?
18:33 benjaoming: If you have ideas about some easy features I could start off with, let me know.
18:33 benjaoming branko: Yes, it's operational :)
18:33 It's basically the whitelisted HTML tags and attributes that I'm wondering about
18:34 If they cover all usages
18:34 It's a new logic.. instead of banning certain tags, the new style is to only whitelist tags and attributes. Django does the same with its template tags now.
18:36 branko Hm... Should i checkout master or should I checkout the bleach branch from your repo fork?
18:36 Ah, finally found it :)
18:36 benjaoming Yes, the branch from my bleach PR
18:37 I looked a bit at the code for "images" and "attachments" plugins, but I feel uncertain about it... as if I haven't had enough time to think it through :)
18:38 branko Btw, would be cool to have requirements.txt of sorts for running the testproject (not sure if there's some way already to install deps).
18:41 Hm... Didn't I report an issue or something somewhere? Was trying to find my sample code :)
18:44 benjaoming: Am I right that the CSS has not been updated for the highlight-wrapper, right?
18:44 (i.e. to have same colours/width/height scrolling restrictions)
18:45 benjaoming: Should <code> be white-listed too?
18:46 Ah, already in there in allowed_tags.
18:46 Nvm
18:48 I think default whitelist looks fine.
18:52 Hm... class/id could be potentially dangerous when coupled with JS.
18:55 benjaoming: So, the cleaning code now converts text into html, and then cleans it, right? Would it make more sense to clean-up before or not?
19:10 Fanthomas90 joined #django-wiki
19:15 benjaoming branko: that's the approach that broke :)
19:15 It was released in 0.2 - but as the reporter states, it was replacing "<" and ">" which were syntactical in Markdown
19:21 branko Ah
19:24 The > is used at line beginnings for blockquotes, right?
19:24 What's the < used for?
19:25 I guess the main thing is that if you introduced a new markdown extension that produces some new html tag, it will break.
19:30 But oh well :)
19:30 I guess it can be fixed on the fly.
19:31 benjaoming: What about allowing id/class - I'm guessing id can be particularly problematic.
19:37 benjaoming branko: the "class" is necessary for many aspects because plugins add things like class="codehilite-blahblah"
19:38 the "id" attribute is important because of the heading and TOC plugin
19:38 "important" = the only way I know how to allow the current behavior of the plugins
19:56 branko Hm... Could you filter-out specific attributes prior to applying markdown?
19:57 I.e. stripping id/class attributes from original, then pump it through markdown followed by bleach?
19:57 Does bleach support black-list?
19:58 Maybe something similar to http://www.dancingwithpinguins[…]ist-to-blacklist/ could be done (just for attributes)?
22:07 Fanthomas90 joined #django-wiki

← Previous day | Index | Server Index | Channel Index | Today | Atom Feed | Search | Google Search | Plain-Text | plain, newest first