This blog now uses markdown for both comments and blog entries. Using the python-markdown library, all comments are run through a markdown filter before being published. Of course, comments are run with safe_mode enabled, which means that they shouldn't be vulnerable to XSS attacks.
My prevous posts were written in plain HTML. I don't mind writing HTML as long as I have the html-mode for emacs; it makes the tedium of writing tags very much bearable. However, using markdown will make some things easier, such as creating a link to the markdown website every time I write markdown, rather than just once as I was likely to do in html-mode.
Anyway, this is mostly a test to make sure everything is happy and working correctly.
The actual code was pretty simple. I haven't yet vetted the mercurial repositories that I use for my website, so I'm not going to post a link to the changesets yet, but it was mostly just running the content on the object through markdown.markdown().
Comments
19 spam comments omitted.
I am no longer accepting new comments.
Adam Gomaa
#266, 2007-08-05T20:04:09Z
Wow! That's awesome. This is also just a markdown test.
Eric Duncan
#28004, 2009-08-29T23:20:11Z
I ran across a few XSS exploits with Markdown.NET (the .NET version). I am going to try one here, and I apologize if actually works. I wanted o test it on a live site, and this seems like a nice little place to do it. Please feel free to email me on my blog for comments, rants, yelling, etc. :)
Here it goes... If it works, you'll see a popup with "XSS" in it.
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->[HTML_REMOVED]">'>[HTML_REMOVED]alert(String.fromCharCode(88,83,83))[HTML_REMOVED]