git.postgresql.org Git - pgweb.git/commit

projects / pgweb.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: 1d43ada) | patch

author	Magnus Hagander <magnus@hagander.net>
	Sun, 8 Nov 2020 16:03:04 +0000 (17:03 +0100)
committer	Magnus Hagander <magnus@hagander.net>
	Thu, 12 Nov 2020 17:52:04 +0000 (18:52 +0100)
commit	ea9becd74604f30064784185ff54f0d8eafb8467
tree	4084dfddc595745856fde15b8b4863a45bfb8046	tree
parent	1d43adaf2a7206a131ab5026587f06593455bf50	commit \| diff

Re-do markdown handling for better user experience and security

* Get rid of the django_markwhat dependency, and implement our own
  classes to get more control. In passing also remove django-markdown,
  because we never used that.
* Instead of trying to clean markdown with regexps, use the bleach
  library (NEW DEPENDENCY) with special whitelisting of allowed tags
  based off standard markdown. This means that one can input links or
  formatting in HTML if one prefers, as long as it renders to the same
  subset of tags that markdown allows.
* Replace javascript based client side preview with an actual call to a
  preview URL that renders the exact result using the same function,
  since the use of showdown on the client was increasingly starting to
  differ from the server, and since that cannot be kept secure the same
  way. Rewrite the client side javascript to work better with the now
  longer interval between updates of the preview.

Long in planning, but never got around to it.

Suggestion to use bleach for escaping from David Fetter.

25 files changed:

media/css/markdown_preview.css	[moved from media/css/showdown_preview.css with 100% similarity]	blob \| blame \| history
media/js/admin_pgweb.js		diff \| blob \| blame \| history
media/js/forms.js		diff \| blob \| blame \| history
media/js/markdown_preview.js	[new file with mode: 0644]	blob
media/js/showdown_preview.js	[deleted file]	blob \| blame \| history
pgweb/account/urls.py		diff \| blob \| blame \| history
pgweb/account/views.py		diff \| blob \| blame \| history
pgweb/core/templatetags/pgmarkdown.py	[new file with mode: 0644]	blob
pgweb/settings.py		diff \| blob \| blame \| history
pgweb/util/helpers.py		diff \| blob \| blame \| history
pgweb/util/markup.py	[new file with mode: 0644]	blob
pgweb/util/moderation.py		diff \| blob \| blame \| history
requirements.txt		diff \| blob \| blame \| history
templates/admin/change_form_pgweb.html		diff \| blob \| blame \| history
templates/base/form.html		diff \| blob \| blame \| history
templates/downloads/productlist.html		diff \| blob \| blame \| history
templates/events/archive.html		diff \| blob \| blame \| history
templates/events/item.html		diff \| blob \| blame \| history
templates/events/rss_description.html		diff \| blob \| blame \| history
templates/featurematrix/featuredetail.html		diff \| blob \| blame \| history
templates/news/item.html		diff \| blob \| blame \| history
templates/news/mail/default.html		diff \| blob \| blame \| history
templates/news/mail/pgproject.html		diff \| blob \| blame \| history
templates/news/newsarchive.html		diff \| blob \| blame \| history
templates/news/rss_description.html		diff \| blob \| blame \| history

This is the code for the postgresql.org website