django-markdownfield icon indicating copy to clipboard operation
django-markdownfield copied to clipboard

Published 20 hours ago verified publisher icon dmptrluke

Switch to ammonia

Open baseplate-admin opened this issue 2 years ago • 4 comments

Hi,

Since bleach is deprecated, I think its better if we switch to nh3

apologies i am not familiar with how bleach integrates with django-markdownfield

baseplate-admin avatar Apr 24 '23 11:04 baseplate-admin

@baseplate-admin We had a conversation in django-wiki about the same thing. We chose to just park the decision for now since Bleach is still under limited maintenance, and we could just wait and see what happens. The conversation is 3 months old now, so would be curious to hear from others.

Do you think that nh3 is showing signs of being a long-term project?

benjaoming avatar Apr 24 '23 13:04 benjaoming

. We chose to just park the decision for now since Bleach is still under limited maintenance, and we could just wait and see what happens.

Ah i see, so i am not the first guy who was worried to see bleach in maintenance.

Back to topic.

Taking a quick look at nh3 its built on ammonia which itself is dependent on html5ever which afaik parses the same way firefox parses html.

Do you think that nh3 is showing signs of being a long-term project?

Apologies i can't answer this question with certainty ( perhaps @messense would be kind enough to answer this | How he plans to maintain the nh3 project ) but to me nh3 looks like a solid project that lacks adoption :)

baseplate-admin avatar Apr 24 '23 15:04 baseplate-admin

I would lean towards whatever has the strongest security foundations - though future maintenance is obviously important too.

As nh3 is a binding for a Rust library, we would also want to make sure it's easy to build cross-platform - or has a good supply of pre-built wheels for common Python versions/operating systems.

dmptrluke avatar Apr 24 '23 23:04 dmptrluke

I would lean towards whatever has the strongest security foundations - though future maintenance is obviously important too.

Servo project is used in mozilla. So we can expect strong security and quick patches.

As nh3 is a binding for a Rust library, we would also want to make sure it's easy to build cross-platform - or has a good supply of pre-built wheels for common Python versions/operating systems.

At this point it looks like it has good supply of pre-built wheels for Python upto version 3.11

It also seems that the maintainer is super friendly to users migrating from bleach.

See = https://github.com/messense/nh3/issues/10

baseplate-admin avatar Apr 25 '23 03:04 baseplate-admin