From 8ee8a357ba791b591584c803b3dcbc7dab424526 Mon Sep 17 00:00:00 2001
From: FreneticScribbler <aj@aronajones.com>
Date: Mon, 10 Feb 2020 00:05:07 +0000
Subject: [PATCH] FIX: Prevent js injection through markdown fields

---
 RIGS/templatetags/markdown_tags.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/RIGS/templatetags/markdown_tags.py b/RIGS/templatetags/markdown_tags.py
index 280099bb..91300f64 100644
--- a/RIGS/templatetags/markdown_tags.py
+++ b/RIGS/templatetags/markdown_tags.py
@@ -14,11 +14,14 @@ def markdown_filter(text, input_format='html'):
     if text is None:
         return text
     html = markdown.markdown(text, extensions=['markdown.extensions.nl2br'])
+    # Convert format to RML
+    soup = BeautifulSoup(html, "html.parser")
+    # Prevent code injection
+    for script in soup('script'):
+        script.string = "Your script shall not pass!"
     if input_format == 'html':
-        return mark_safe('<div class="markdown">' + html + '</div>')
+        return mark_safe('<div class="markdown">' + str(soup) + '</div>')
     elif input_format == 'rml':
-        # Convert format to RML
-        soup = BeautifulSoup(html, "html.parser")
 
         # Image aren't supported so remove them
         for img in soup('img'):