Need a util.html_cleaner() method with good tests
There's no way around it, we're going to need a good sanitizer for
comment/description/etc html **regardless** of
`whether or not we use markdown <http://bugs.foocorp.net/issues/363#note-5>`_
... so I think the html cleaner should:
- Use **only whitelisted tags**... this is possible through lxml,
we need to do it right. Tags I think we'll need to allow: b, i, em,
strong, p, ul, ol, li, a, br. (any others?)
- Only whitelisted attributes
- XSS attribute attack prevention, other XSS prevention stuff...
see the lxml.html.clean docs.
- have tests that try to attack each one of these components.
In the future it might be a good idea to also prevent certain other
annoying things... deeply nested
.. raw:: html
's, etc. But for now I think this will be good enough.