6c06b69dc5
When an attacker uses a <form> to downvote a comment, the browser *should* add a `Content-Type: ...` header with three possible values: * application/x-www-form-urlencoded * multipart/form-data * text/plain If the header is not sent or requests `application/json`, the request is not forged (XHR is restricted by CORS separately). |
||
---|---|---|
docs | ||
isso | ||
specs | ||
.gitignore | ||
CHANGES.rst | ||
CONTRIBUTING.md | ||
dispatch.py | ||
LICENSE | ||
Makefile | ||
MANIFEST.in | ||
README.md | ||
setup.py | ||
tox.ini | ||
uwsgi.ini |
Isso – Ich schrei sonst
You love static blog generators (especially Acrylamid cough) and the only option to interact with your community is Disqus. There's nothing wrong with it, but if you care about the privacy of your audience you are better off with a comment system that is under your control. This is, where Isso comes into play.
Features
- CRUD comments written in Markdown
- SQLite backend, Disqus import
- client-side JS (currently 54kb minified, 18kb gzipped)
- I18N, available in german and english (also fallback)
Installation
- Python 2.6, 2.7 or 3.3
- a working C compiler
Install Isso with:
~> pip install isso
Set your database location and website:
~> cat my.cfg
[general]
dbpath = /var/lib/isso/comments.db
host = http://example.tld/
Optional: you can import your comments from Disqus.com:
~> isso -c my.cfg import ~/Downloads/user-2013-09-02T11_39_22.971478-all.xml
[100%] 53 threads, 192 comments
Now start the server:
~> isso -c my.cfg run
2013-10-30 09:32:48,369 WARNING: unable to connect to SMTP server
2013-10-30 09:32:48,408 INFO: connected to HTTP server
Make sure, Isso can connect to the server that hosts your blog, otherwise you are not able to post comments.
Website Integration
You can run Isso on a dedicated domain or behind a sub URI like /isso
. It
makes actually no difference except for the webserver configuration (see
below).
Whatever method you prefer (just change the URL), to embed comments add
<script src="http://example.tld/js/embed.min.js"></script>
to your HTML (presumedly into <head>
) and
<div id="isso-thread"></div>
below your post. That's all. The JavaScript client will automatically detect the API endpoint.
To show the comment count for posts (but no comments), add
<script src="http://example.tld/js/count.min.js"></script>
to your header and all links ending with #isso-thread
are updated with the
current comment count.
This functionality is already included when you embed embed.min.js
, do
not mix embed.min.js
and count.min.js
in a single document.
Client Configuration
You can configure the client (the JS part) via data-
attributes:
-
data-title
When you start a new thread (= first comment on a page), Isso sends a GET request that page to see if it a) exists and b) parse the site's heading (currently used as subject in emails).
Isso assumes that the title is inside an
h1
tag near the isso thread:<html> <body> <h1>Website Title</h1> <article> <header> <h1>Post Title</h1> <section id="isso-thread"> ...
In this example, the detected title is
Post Title
as expected, but some older sites may only use a singleh1
as their website's maintitle, and ah2
for the post title. Unfortunately this is unambiguous and you have to tell Isso what's the actual post title:<section data-title="Post Title" id="isso-thread">
Make sure to escape the attribute value.
-
data-isso
Isso usually detects the REST API automatically, but when you serve the JS script on a different location, this may fail. Use
data-isso
to override the API location:<script data-isso="/isso" src="/path/to/embed.min.js"></script>
-
data-isso-css
Set to
false
prevents Isso from automatically appending the stylesheet. Defaults totrue
.<script src="..." data-isso-css="false"></script>
-
data-isso-lang
Override useragent's preferred language. Currently available: german (de), english (en) and french (fr).
-
data-isso-reply-to-self
Set to
true
when spam guard is configured withreply-to-self = true
.
Webserver configuration
-
nginx configuration to run Isso on
/isso
:server { listen [::]:80; listen [::]:443 ssl; server_name example.tld; root /var/www/example.tld; location /isso { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Script-Name /isso; proxy_pass http://localhost:8080; } }
-
nginx configuration to run Isso on a dedicated domain:
server { listen [::]:8080; server_name comments.example.tld; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8080; } }
Init Scripts
- SystemD: isso.service
- SysVinit: isso.init
- OpenBSD: GH:Gist
Documentation
For further help, join #isso
on Freenode!
Alternatives
- talkatv – Python
- Juvia – Ruby on Rails
- Tildehash.com – PHP
- SO: Unobtrusive, self-hosted comments