Site Errata


Since the 2011 redesign, it was the intent that comments would not only be heavily filtered and curated, but that by surviving that process, comments would earn a place of equal standing with the main body text.

We’ve finally gotten around to incorporating this intent into the way comments are displayed: removing the visual break between the main body and the comments, and removing any formatting differences between the two as well.

Finally, I’ve switched the formatting syntax in the comment processor from Textile to the more well-known Markdown, specifically Michel Fortin’s MarkdownExtra. This means readers have access to the full range of MarkdownExtra — footnotes, definition lists, tables, etc. — but also HTML, since the Markdown spec allows for HTML markup.

Fortin’s recommended method of installing MarkdownExtra for Textpattern is to rename markdown.php to classTextile.php and drop this file in place of Textpattern’s old one. This works well, but it brings a big security hazard: Markdown syntax explicitly allows the use of plain HTML, but Fortin’s class does no filtering for malicious content (unlike Textile, which escapes all HTML). This means that if you don’t do any extra work, you leave yourself pretty wide open to XSS attacks.

My solution was to bolt on the excellent HTML Purifier package. After installing it on the server, edit the new classTextile.php, and add this line just above the definition for class Textile:

require_once '/path/to/web/plugins/htmlpurifier/HTMLPurifier.standalone.php';

Then change the TextileRestricted function to read as follows:

function TextileRestricted($text, $lite='', $noimage='') {
    $purifier = new HTMLPurifier();
    $text = $this->TextileThis($text, $lite);
    return $purifier->purify($text);

Update: The code above has been corrected so that Markdown is applied first, then the purifier. If you do it the other way around, the purifier will break certain Markdown features (such as using > for blockquotes).

[ View all notices ]