Conservancy/symposion_app
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
symposion_app/symposion/markdown_parser.py
Sachi King 0652471164 Sanitize user input on markdown fields 
This is an XSS vulnribilitiy.

This also blocks a number of MD attributes that a user might attempt to
use.

The following are the allowed attributes.

['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li',
'ol', 'p', 'pre', 'strong', 'ul']

I belive this to be acceptable, as honeslty, a speaker using H1 is going
to stomp all over the page and make it harder for the reviewer to parse.

UX wise, it's less than great.  A user can do # title and be left with
<h1> in the sanitized output.
2017-04-29 15:47:08 +10:00

14 lines
268 B
Python
Raw Blame History

from __future__ import unicode_literals
import bleach
import markdown
tags = bleach.sanitizer.ALLOWED_TAGS[:]
tags.extend(['p', 'pre'])
def parse(text):
md = markdown.markdown(text, extensions=['extra'])
text = bleach.clean(md, tags=tags)
return text
Reference in a new issue View git blame Copy permalink