Categories
Technical

the elusive commenting system

BDT (yeah, third post in, already acronym-ising this thing) finally has one of them there commenting systems. Check it out below if you don’t believe me.

The delay

The reason I was holding back was because I wanted to “hand-roll” my system for maximum control. Yeah, this is a gross violation of “don’t reinvent the wheel” (Django has a comments module), but sometimes invention is fun even if you’re contributing nothing new to anything. My main motivation for spitting in the face of Django was because at some stage I want to play with Akismet. There are tutorials out there for adding Akismet using the existing comments system, however they all involve altering core Django code and I sorta felt that this could be a bit messy – particularly in terms of maintenance further down the line.

The problem

The Django API makes it a breeze to add a comment, the big problem comes in escaping stray html / javascript etc. I could write my own sanitiser – it probably wouldn’t be all that hard, but I would never want to reinvent the wheel (I’m banking on 90% of readers skimming the last paragraph). The only method out there in Django seems to be that in the template system – and that’s only going to be directly useful in sanitising the main blog page, and only then if I explicitly tell it to on every template. It won’t stop somebody from submitting some code and it messing about with my admin page, for example. But the method itself is useful, it is powerful and in one command it can strip a string of any potential offensiveness (by offensiveness I mean XSS etc, not the word, “dick” – we wouldn’t want to prevent people from commenting about their favourite British pudding now, would we?).

The solution

PS I have stumbled upon this idea in surfing, but cannot remember where, if you were the originator, tell me and I’ll give due credit.

To harness the escape method, first you need to hook into the django.template module – specifically looking for the Parser class (I was stumbling about aimlessly in the python shell when I finally cracked this one, there is probably a better way of doing this). From an instance of the Parser class you execute the find_filter method to return the escape function, which you can then use at will. So, sticking this in your “add a comment” view-method-thing would look a little like this:


from django.template import Parser

...ace django code goes here...

p = Parser("you could probably put anything in here, I should probably try looking for a static class or something more efficient")
esc = p.find_filter("escape")
new_comment.content = esc(new_comment.content)
new_comment.save()

...more ace django code...

note to self: find / implement a “code” template module. Preferably with syntax highlighting built in.

obviously, you’ll want to do some content checks and the like, but you get the general idea. I am of the opinion that if you are not super paranoid about what you let into an effectively open database then you are asking for trouble. If you need further proof (beyond common sense), look at all of the trouble myspace have had over the years.

Still to come…

hmmmm, somehow this has formed itself into BDT’s first “proper” entry, I should probably have planned it better. Anyway, next on my list are per-category feeds, a bit of an “about” section and then some playing with Django vs Jabber interactivity. Should be fun, yay!