Feeds:
Posts
Comments

Posts Tagged ‘python’

A little demonstration how to use textile and djangos (free)comment system to “take over” a site:

%{display: block; position: absolute !important; top: 25px; left: 25px; z-index: 100; background-color: red; font-size: 50px;}Your text here ... site hacked%

Textile allows CSS per default -> you can do anything with CSS -> so it’s quite easy to position any amount of HTML code anywhere on the site… Bad textile!!! Give it a try and post the code example from above on your favorite textile powered site.

Apart of being a fun hack, it could be used to exploit users by overloading links, so that they point to phishing sites.  So don’t allow untrusted people to use textile markup!

Read Full Post »

textile hacked, part 1

While writing my little django blog, I first encountered textile. So far so good. Very nice. But not perfect 🙂 So the first of my hacks was to implement a django template filter version of textile that supported head_offset.

If you want it too, simply change django/contrib/markup/templatetags/markup.py from

return mark_safe(force_unicode(textile.textile(smart_str(value), encoding='utf-8', output='utf-8')))

to

return mark_safe(force_unicode(textile.textile(smart_str(value), encoding='utf-8', output='utf-8', head_offset=settings.MARKUP_HEAD_OFFSET)))

Don’t forget to set something like MARKUP_HEAD_OFFSET = 2 in your settings.py.

voilĂ !

Read Full Post »