Allow HTML tags in comments

[tmix]

Hello,

I was looking for a way to enable HTML tags in comments on my s9y blog. Basicly I would like to allow commentators to use tags like <a>, <i>, <s> and so on. So, is there a way to turn on HTML in comments?

And no, I don't want to use BBCode :-) And I tried Markdown and I think it is awful.

Any help is appreciated!

[d_cee]

Hi

you could install the event plugin that 'Transforms HTML for comments'

HTH

Dave

[tmix]

Ok, I had this plugin installed (it has a strange name in German, so I didn't knew what it was supposed to do...). But if it is active, the HTML tags in the comments are simply displayed.

For example, it will display
<a href="http://asdf">qwer</a>
instead of
qwer

[garvinhicking]

Hi!

True HTML in comments is not possible in Serendipity, because HTML gets stripped at core level.

We believe it's simply too dangerous nowadays to offer this possibility, and XSS exploits and other nasty stuff is too simple. Restricting to a list of whitelisted tags still allows for various javascript-injection that you can't really successfully block out.

One could write a plugin to allow HTML, but because of the concerns stated I can't offer help in this with a good consciousness.

Going with BBCode and other markups is really the much better way to go.

Best regards,
Garvin

[tmix]

Ok, now to the funny part:

1. With the 'Transforms HTML for comments' plugin, HTML works in the RSS-feed for the comments (did not test it without the plugin...)

2. BBCode is not translate into HTML for the RSS-feed...

sorry, it is late and I need to go to bed...

[garvinhicking]

Hi!

Thanks a lot - in fact the display of HTML in the RSS-comment feed was not yet stripped. I fixed that bug in recent versions.

When you have the "Transform HTML" plugin enabled, BBCode can no longer be transformed/displayed, because the bbcode itself is turned into HTML, and the HTML is then escaped again. You might be able to fix this, though, by putting the BBCode-plugin AFTER the Transform-HTML plugin.

HTH,
Garvin

[dakira]

Hi,

I know this subject has been dead for a while and I know how you (garvin) think about using html in comments. I just wanted to add some thoughts.

With markups of bbcode and like it is so complicated for the average commenter to e.g. insert a link, that they refrain from doing it (in my experience). That makes longer comments with links unreadable. Some commenters (who are not smart enough to know how to use bbcode) are smart enough to use footnotes and put the links at the end of their comments. That works nice, but is not really in the spirit of the interweb.

So would it really be a risk to check for a certain tag (like <a>) and strip the rest? I am of course no security expert. But not being able to write links with the <a>-tag is a major inconvenience for visitors to s9y blogs, I think.

Regards
dakira

[garvinhicking]

Hi!

How about instead using the RegExp markup plugin, that comes with a "clickable URL" rule that you can use so that hyperlinks are automatically converteD? you can specifically enable this for comments.

HTH,
Garvin

[dakira]

How about instead using the RegExp markup plugin, that comes with a "clickable URL" rule that you can use so that hyperlinks are automatically converteD? you can specifically enable this for comments.

Mhh.. that would just make the links clickable but readers would still have ugly links in the comments. In WP blogs you often see readers posting something like:
Check out <a href="ht..">Weblogs</a> on wikipedia for more information on the topic.

That makes the comment integrate nicely with the rest of the content and your readers usually try using <a> tags before anything else. On the other hand WP blogs ARE an absolute security mess

On that note I have to say I love what the guys from ubuntuusers.de have done with their portal. They threw everything away (forum/wiki) and wrote their own software sporting wiki syntax everywhere the user can interact. But in a blog that just brings one back to the problem that the regular commenter will still try to use <a>-tags.

Anyway.. thanks for your suggestion!

PS: I just bought World of Goo and have to cry it out loud: This is so good it makes me cry .. sorry for OT

[garvinhicking]

Hi!

The problem is that <a> is really the most dangerous HTML tag. One could write a simple parser plugin (or even regular expression markup) for it, but I'm really too afraid of the security implications and much rather advocate the use of bbcode or wikilike markup...

PS: I just bought World of Goo and have to cry it out loud: This is so good it makes me cry .. sorry for OT

I bought that a few weeks ago and also absolutely loved it. It's an awesome game. Everyone should go buy this.

Regards,
Garvin

[dakira]

The problem is that <a> is really the most dangerous HTML tag.

I know.. I was just thinking there has to be some secure way since a lot of major websites allow it in their comments.

[Anson]

The problem is that <a> is really the most dangerous HTML tag.

I know.. I was just thinking there has to be some secure way since a lot of major websites allow it in their comments.

Hey, look at that! Between dakira's post and mine, there appears to be spam.

Anyway, I've got what I consider to be a first pass at a plugin to allow HTML in comments up and running. As I mention elsewhere it's based on HTML Purifier, but I'm not completely happy with it yet because I haven't audited the list of acceptable tags (IMO, a/b/i/strong/em/p/br/cite/blockquote should be enough, and maybe img - all with very restricted allowed attributes too). It doesn't support any real configuration - it's on or it's off. The main configuration option it's missing is an on/off switch for img tags... not everyone wants those.

Still, I'd like to revive discussion of whether this is a good idea, particularly since I started with a solid existing library (rather than write my own) and it doesn't appear to be based on anything as fragile as regular expressions.

[judebert]

Well, HTML Purifier is reasonably robust: no vulnerabilities since Jun 2008, and that one was quickly fixed. As long as you keep up with it, I'd be willing to use it in my website.

You'd also have to consider how it will interact with HTML quoting. I've got some articles on my site that are HTML/CSS technical articles, so occasionally my visitors want to leave HTML snippets in the comments. Right now I use the Transform HTML in Comments plugin to make that possible. Will your new plugin allow those comments to remain, apply the actual HTML, or strip it?

[Anson]

Well, HTML Purifier is reasonably robust: no vulnerabilities since Jun 2008, and that one was quickly fixed. As long as you keep up with it, I'd be willing to use it in my website.

You'd also have to consider how it will interact with HTML quoting. I've got some articles on my site that are HTML/CSS technical articles, so occasionally my visitors want to leave HTML snippets in the comments. Right now I use the Transform HTML in Comments plugin to make that possible. Will your new plugin allow those comments to remain, apply the actual HTML, or strip it?

My plugin would apply the actual HTML, or strip it (if it fell outside acceptable HTML). HTML to be displayed would have to be escaped, just as if you were editing a regular web page that displayed HTML tags, mainly using < in place of <. Off the top of my head, I can't think of another good heuristic to somehow apply some HTML, and transform other HTML into entities for display, without escaping one or the other to show they should be applied or transformed.

Also, since markup plugins are applied upon display, rather than entry, the current active plugins each time a comment is displayed are what matter, not the plugins active when the comment was entered. So old comments with raw HTML in them would show up with that raw HTML applied or stripped, rather than according to the way it looked when the comment was entered.

In your case, with existing comments, it would probably require a database query to affect the change if you wanted to do it. In my case, it would have required a database query to modify existing comments (imported from LiveJournal) to use something other than HTML. I don't think there's a great solution for this, other than "use the particular plugins you need." Mine is just one of many that serve a particular need.

[judebert]

My plugin would apply the actual HTML, or strip it (if it fell outside acceptable HTML). HTML to be displayed would have to be escaped, just as if you were editing a regular web page that displayed HTML tags, mainly using < in place of <. Off the top of my head, I can't think of another good heuristic to somehow apply some HTML, and transform other HTML into entities for display, without escaping one or the other to show they should be applied or transformed.

Sounds like I'd have to modify the BBCode (or other markup) plugin to escape the HTML that should be escaped, like in code blocks. Does HTML Purifier already provide some method for this? (Probably just HTML escapes.)

Also, since markup plugins are applied upon display, rather than entry, the current active plugins each time a comment is displayed are what matter, not the plugins active when the comment was entered. So old comments with raw HTML in them would show up with that raw HTML applied or stripped, rather than according to the way it looked when the comment was entered.

I noticed that! I was actually rather pleased. Now that I've installed "Transform HTML in Comments", the existing comments suddenly displayed the HTML tags.

Now all I have to do is find some way to delimit the places where HTML should be applied and the places where it should be escaped.