This is an XSS vulnribilitiy.
This also blocks a number of MD attributes that a user might attempt to
use.
The following are the allowed attributes.
['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li',
'ol', 'p', 'pre', 'strong', 'ul']
I belive this to be acceptable, as honeslty, a speaker using H1 is going
to stomp all over the page and make it harder for the reviewer to parse.
UX wise, it's less than great. A user can do # title and be left with
<h1> in the sanitized output.
In the future, when we want to lock a package to a specific version, we
will do that via a constraints file in the master project.
Making it difficult to update deps is not okay.
Loosen Django requirement to allow versions greater or equal to 1.8.5,
instead of mandating 1.8.5. This makes it easier to use newer releases
of Django (e.g. the bugfix and security releases 1.8.6 or 1.8.7) with
symposion.
* Remove markitup (to be replaced with Ace editor)
* Use DUA decorators
* Removed custom signup bits
* Upgraded dependencies
* Added migrations
* Namespaced template locations
* Removed html5parser/sanitizer (for now) - parsing functionality
should be moved out entirely to a hooks
* Replaced ProposalScoreExpression object with a function that returns
F() expressions
django-timezones does not support Python 3. django-timezone-field is
a revived fork that does.
For some unknown reason django-timezone-field's TimeZoneField does
not like positional arguments, so I changed to first argument to a
kwarg "verbose_name".
These have all been moved to the starter project,
pinax-project-symposion. The reasoning behind this is they are very
specific to the theme (pinax-theme-bootstrap) that the project uses and
not really all that reusable when packaged with this app.
