From eba1b7dd3b8b27551078e7258fd9c48bddba4ad8 Mon Sep 17 00:00:00 2001 From: Darks Date: Tue, 23 Feb 2021 12:00:34 +0100 Subject: [PATCH] markdown: better input sanitization --- app/utils/filters/markdown.py | 12 +++--------- app/utils/markdown_extensions/escape_html.py | 7 +++++++ 2 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 app/utils/markdown_extensions/escape_html.py diff --git a/app/utils/filters/markdown.py b/app/utils/filters/markdown.py index f7455a9..721b226 100644 --- a/app/utils/filters/markdown.py +++ b/app/utils/filters/markdown.py @@ -6,6 +6,7 @@ from markdown.extensions.footnotes import FootnoteExtension from markdown.extensions.toc import TocExtension from app.utils.markdown_extensions.pclinks import PCLinkExtension +from app.utils.markdown_extensions.escape_html import EscapeHtml @app.template_filter('md') @@ -22,19 +23,12 @@ def md(text): 'sane_lists', 'tables', CodeHiliteExtension(linenums=True, use_pygments=True), + EscapeHtml(), FootnoteExtension(UNIQUE_IDS=True), TocExtension(baselevel=2), PCLinkExtension(), ] - def escape(text): - text = text.replace("&", "&") - text = text.replace("<", "<") - text = text.replace(">", ">") - return text - - # Escape html chars because markdown does not - safe = escape(text) - out = markdown(safe, options=options, extensions=extensions) + out = markdown(text, options=options, extensions=extensions) return Markup(out) diff --git a/app/utils/markdown_extensions/escape_html.py b/app/utils/markdown_extensions/escape_html.py new file mode 100644 index 0000000..28f00a8 --- /dev/null +++ b/app/utils/markdown_extensions/escape_html.py @@ -0,0 +1,7 @@ +from markdown.extensions import Extension + + +class EscapeHtml(Extension): + def extendMarkdown(self, md): + md.preprocessors.deregister('html_block') + md.inlinePatterns.deregister('html')