Comment Submission (client side)
Comment Submission (server side)
The POST request is picked up by a PHP script on the server which collects the form data. The script sanitizes the form data and emails it to me as JSON in a MIME attachment. The comment text is written into the email body so that I can quickly verify the comment content.
Comment Moderation and Deployment
Once I get the email containing the comment I can check that it's not spam
and then add it to the website. Of course I don't manually add the
comment to the website source, but have a script which does this for me.
All I have to do is forward the email on to
firstname.lastname@example.org, which I reserve for the purpose of
receiving moderated comments. A cron job periodically checks for new email
at this address, adds the attached comments to the blog source code and
then deploys the updated version to the webserver. Everything being stored
in git repositories means that I've got a complete history of any changes
made and can always roll back any errors.
Adding comments to the blog opens it up to a class of security
vulnerabilities known as "cross-site scripting", or "XSS". If someone
tags, and if I then embed that raw comment into the post's webpage, then
josephweston.org this would probably be more a nuisance than
anything else, as viewers don't have any sensitive data associated with
however, then an attacker could potentially access information associated
with other domains (e.g. auth tokens for banking websites / email open in
engine entirely. Better to try and avoid such problems rather than
rationalise them! To try and mitigate this, all external content is run
through the Python markdown module with safe mode enabled. This
should escape all HTML in the input, but still allow comments to be marked
up using Markdown syntax.
As mentioned above, all comments that I validate are forwarded to a
secondary email address where they are picked up and pushed to the website
by a cron job. Now, email is not a particularly secure protocol by itself;
as it stands anyone who sends an email to
email@example.com with a correctly formatted JSON
attachment could bypass my validation mechanism altogether! My answer to
this is pretty simply: use GnuPG to sign the JSON attachments.
Every time I forward a validated comment to the
I sign all the parts of the email with my private key. these signatures
are then checked by the cron job before it adds the comment.