I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is there a test string I can put through my system to check for the same flaws that took down reddit?
+1
A:
This library - the 'standard' one more or less - has a 'safe mode' feature that escapes html tags. That should be enough to counter most all HTML injection attacks.
Scavenger
2010-03-02 10:52:08
I'm working in a pure python environment (google app engine) so I don't think I can use a C library. I'm looking at the library Scavenger mentioned above, and also looking at the filters.py and markdown.py code from reddit. The freewisdom library is *intended* to be dropped into another project, whereas obviously you intended the reddit code to work in reddit, so that leans me toward the freewisdom code. On the other hand, I'm curious about why you needed to write your own filter code in the first place -- are there vulnerabilities in the publicly available libraries I should be aware of?
MichaelBlume
2010-03-16 18:38:45