markdown: better input sanitization

app/utils/filters/markdown.py

@@ -6,6 +6,7 @@ from markdown.extensions.footnotes import FootnoteExtension
 from markdown.extensions.toc import TocExtension
 
 from app.utils.markdown_extensions.pclinks import PCLinkExtension
+from app.utils.markdown_extensions.escape_html import EscapeHtml
 
 
 @app.template_filter('md')
@@ -22,19 +23,12 @@ def md(text):
         'sane_lists',
         'tables',
         CodeHiliteExtension(linenums=True, use_pygments=True),
+        EscapeHtml(),
         FootnoteExtension(UNIQUE_IDS=True),
         TocExtension(baselevel=2),
         PCLinkExtension(),
     ]
 
-    def escape(text):
-        text = text.replace("&", "&")
-        text = text.replace("<", "&lt;")
-        text = text.replace(">", "&gt;")
-        return text
-
-    # Escape html chars because markdown does not
-    safe = escape(text)
-    out = markdown(safe, options=options, extensions=extensions)
+    out = markdown(text, options=options, extensions=extensions)
 
     return Markup(out)

app/utils/markdown_extensions/escape_html.py

@@ -0,0 +1,7 @@
+from markdown.extensions import Extension
+
+
+class EscapeHtml(Extension):
+    def extendMarkdown(self, md):
+        md.preprocessors.deregister('html_block')
+        md.inlinePatterns.deregister('html')