Bremsstrahlung

I've just finished a major re-write of my comments posting mechanism. The first time around I'd tried to be pretty careful about sanitizing input from commenters¹. I was therefore rather disappointed when I discovered that I could break my own site within three minutes of beginning trying to compose a malicious comment.

No longer! I have resolved the problems and made the commenting system much better to use anyway. The main problem was that I was very enamored of the idea of letting commenters format their comments using Markdown, but Markdown depends on the '>' and '"' characters, among others, but these must be escaped as HTML entities to prevent malicious data from wreaking havoc. Luckily, since I have the source code to the PHP Markdown Extra parser that I'm using, I was able to build a copy which accepts HTML entities in the place of the now escaped characters. While I was at it, I added a time-based prefix to all footnote anchors in each comment, so that commenters can use footnotes without interfering with my footnotes or those in other comments. My new system may not be totally bullet-proof, but it's fairly tough, with no weaknesses or flaws I yet know of.

Lastly, I made the commenting page look much nicer, including putting in a miniature Markdown syntax guide. In fact, I'm jealous now; it looks way nicer than my private page here for writing my posts, even if my page does let me insert any evil HTML I want.