symposion_app/symposion/markdown_parser.py

import bleach
import markdown


tags = bleach.sanitizer.ALLOWED_TAGS[:]
tags.extend(['p', 'pre'])


def parse(text):
    md = markdown.markdown(text, extensions=['extra'])
    text = bleach.clean(md, tags=tags)
    return text
Sanitize user input on markdown fields This is an XSS vulnribilitiy. This also blocks a number of MD attributes that a user might attempt to use. The following are the allowed attributes. ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'p', 'pre', 'strong', 'ul'] I belive this to be acceptable, as honeslty, a speaker using H1 is going to stomp all over the page and make it harder for the reviewer to parse. UX wise, it's less than great. A user can do # title and be left with <h1> in the sanitized output. 2017-04-21 00:34:48 +00:00			`import bleach`
add our more liberal markdown parser to symposion 2012-07-18 23:20:51 +00:00			`import markdown`


Sanitize user input on markdown fields This is an XSS vulnribilitiy. This also blocks a number of MD attributes that a user might attempt to use. The following are the allowed attributes. ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'p', 'pre', 'strong', 'ul'] I belive this to be acceptable, as honeslty, a speaker using H1 is going to stomp all over the page and make it harder for the reviewer to parse. UX wise, it's less than great. A user can do # title and be left with <h1> in the sanitized output. 2017-04-21 00:34:48 +00:00			`tags = bleach.sanitizer.ALLOWED_TAGS[:]`
			`tags.extend(['p', 'pre'])`
Fix flake8 warnings 2014-07-30 18:19:26 +00:00

Sanitize user input on markdown fields This is an XSS vulnribilitiy. This also blocks a number of MD attributes that a user might attempt to use. The following are the allowed attributes. ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'p', 'pre', 'strong', 'ul'] I belive this to be acceptable, as honeslty, a speaker using H1 is going to stomp all over the page and make it harder for the reviewer to parse. UX wise, it's less than great. A user can do # title and be left with <h1> in the sanitized output. 2017-04-21 00:34:48 +00:00			`def parse(text):`
			`md = markdown.markdown(text, extensions=['extra'])`
			`text = bleach.clean(md, tags=tags)`
Massively upgrade symposion * Remove markitup (to be replaced with Ace editor) * Use DUA decorators * Removed custom signup bits * Upgraded dependencies * Added migrations * Namespaced template locations * Removed html5parser/sanitizer (for now) - parsing functionality should be moved out entirely to a hooks * Replaced ProposalScoreExpression object with a function that returns F() expressions 2015-10-16 17:36:58 +00:00			`return text`