Why was markdown deprecated in Django 1.5+?

Question

I've been planning to use markdown for a lot of the static content of a Website.

Given Python's markdown module, that's easy enough to do, but I noted that Django used to have builtin markdown support that was deprecated in version 1.5. I presume that there was a good reason for that, and I don't have any interest in walking down the same path myself if this is a bad idea.

What were the reasons for deprecating builtin markdown support in Django, and do those reasons still apply to the use of markdown in general within Django 1.9+?

Answer 1

First of all, it was not just Markdown support which was removed, but the contrib.markup library which was removed. That library contained template filters for Markdown, reStructeredText and Textile. Therefore, it would be more accurate to state that all lightweight markup language filters were removed. As I recall, there were various reasons for this:

• Around that time an effort was being made to break out many of the "contrib" packages into third party apps. contrib.markup was one such package. Some general reasons were that they were features which were not core to the usage of the framework, that they were poorly tested, or that they were poorly documented, among others.
• The lightweight markup language libraries are moving targets. Being much smaller than Django, they could be released on a shorter release cycle and it would take a long time for Django to "catch up." And then each language would be on a different cycle than the next. It makes more sense for each language to be supported by its own third party Django App which can always be "current" with the markup language library.
• The "contrib" app only provided template filters. However, there are other ways to support markup languages in Django (database fields, form fields, etc.). Some third party libraries have actually included these features for more complete support.
• There are some security concerns (primarily XSS) when untrusted users are permitted to post markup to your site (like comments). While there are things which can be done to alleviate such concerns, the Django developers did not want to take on the added work to guarantee a secure solution. Note that such concerns do not exist when only trusted authenticated users are providing content (for an explanation of the security concerns, see this article).

Sources:

• https://code.djangoproject.com/ticket/18054
• https://groups.google.com/d/msg/django-developers/tRpwMudkCfo/xXWQNrpOUagJ
• https://groups.google.com/d/msg/django-developers/kaW0z03TWvc/81mdKlRbfYMJ
• My memory. While my memory is not known to be completely reliable, I was actively involved in Django's development at the time and followed all dev discussions closely.