arona/PyRIGS
1
0
Fork 0
mirror of https://github.com/nottinghamtec/PyRIGS.git synced 2026-01-24 00:42:17 +00:00
Code Issues Projects Releases Wiki Activity

FIX: Prevent js injection through markdown fields

Browse Source
This commit is contained in:
FreneticScribbler
2020-02-10 00:05:07 +00:00
parent 68799ed0ef
commit 8ee8a357ba
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
RIGS/templatetags/markdown_tags.py
View File

@@ -14,11 +14,14 @@ def markdown_filter(text, input_format='html'):
if text is None: if text is None:
return text return text
html = markdown.markdown(text, extensions=['markdown.extensions.nl2br']) html = markdown.markdown(text, extensions=['markdown.extensions.nl2br'])
# Convert format to RML
soup = BeautifulSoup(html, "html.parser")
# Prevent code injection
for script in soup('script'):
script.string = "Your script shall not pass!"
if input_format == 'html': if input_format == 'html':
return mark_safe('<div class="markdown">' + html + '</div>') return mark_safe('<div class="markdown">' + str(soup) + '</div>')
elif input_format == 'rml': elif input_format == 'rml':
# Convert format to RML
soup = BeautifulSoup(html, "html.parser")
# Image aren't supported so remove them # Image aren't supported so remove them
for img in soup('img'): for img in soup('img'):