Here we will cover the FastComments comment format, features supported while writing comments, how to format text, and the various filters and safety measures incorporated in the system.
Basic Formatting
FastComments uses a combination of Markdown and a simple subset of HTML to allow writing comments.
A nice resource for Markdown syntax is here.
For most common formatting, you can use the formatting toolbar to do things like bold or italicize text.
Some syntax examples are:
- Bold:
**bold**
<b>bold text</b>
- Italics:
*italics*
<i>italic text</i>
- Strikethrough:
~~strikethrough~~
<strike>strikethrough</strike>
- Quotes:
> quote
Note that Markdown headings are not supported.
Links can be written as their raw URL, without HTML or other syntax, and by default the link
will be turned into a clickable link with target="nofollow noopener"
to discourage spammers. Some sites
may choose to disable automatic link creation.
Ordered lists can be written like:
1. One Item.
2. Second Item.
3. Third Item.
The same goes for bulleted lists:
- Some point.
- Some other point.
For programming-oriented communities, code can be shared by pasting it in the comment area, and the language will
be auto-detected and formatted. Code can be added in <code></code>
tags or Markdown code fences with backticks.
Security
There are multiple aspects to security when letting people add content to a website and then rendering that content on many different types of devices.
Preventing Formatting Abuse
People can write content that is intentionally visually distracting and detracts value from discussions by abusing text formatting.
FastComments does a number of things to prevent abuse in regard to formatting:
- Large repeated consecutive newlines are collapsed.
- We don't render headings (they become normal text).
- We don't allow CSS or custom colors.
Preventing Exploits
Exploits can be created in systems that render HTML. FastComments does several things to prevent this:
- We only allow an explicitly defined set of HTML tags.
- We only allow an explicitly defined set of HTML tag attributes.
- We purify and sanitize all inputs.
- This is done via the DOMPurify and sanitizeHtml libraries.
- We chose these libraries as being well tested (having over 4 and 1 million downloads per week, respectively).
This means that users can't do things like write <script>
or <style>
tags, or try to add onload=alert()
type scripts to images or other content.
The HTML tags we allow are as follows:
<b>
<em>
<u>
<i>
<strike>
<pre>
<span>
<code>
<img>
<a>
<strong>
<ul>
<ol>
<li>
<br>