Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Django-markdown-deux XSS? #9

Open
evi1m0 opened this issue Dec 21, 2014 · 9 comments
Open

Django-markdown-deux XSS? #9

evi1m0 opened this issue Dec 21, 2014 · 9 comments

Comments

@evi1m0
Copy link

evi1m0 commented Dec 21, 2014 

[test](javascript:alert(1))

alert(1)
RicterZ added a commit to RicterZ/django-markdown-deux that referenced this issue Dec 21, 2014
@RicterZ
Simple fix the xss of markdown trentm#9
4dc03a5
@RicterZ
Copy link

RicterZ commented Dec 21, 2014

The sample of the patch: http://buzz.beebeeto.com/topic/5/

@evi1m0
Copy link
Author

evi1m0 commented Dec 21, 2014 

[[test](javascript:alert(1))](javascript:alert(1))

Bypass

@RicterZ
Copy link

RicterZ commented Dec 21, 2014

@evi1m0 WTF!

@flsf
Copy link

flsf commented Dec 21, 2014

23333333

@allanlasser allanlasser mentioned this issue Mar 2, 2015
Closed
@kevin-brown kevin-brown mentioned this issue May 4, 2016
Closed
@phith0n
Copy link

phith0n commented Oct 3, 2016

??? how to solve

@RicterZ
Copy link

RicterZ commented Oct 4, 2016

It seems that the project is no longer maintained. @phith0n

@phith0n
Copy link

phith0n commented Oct 4, 2016

I used python-xss-filter to render it again:

@register.filter(name="purifier")
def html_purifier_filter(value):
    parser = XssHtml()
    parser.feed(value)
    parser.close()
    return parser.getHtml()

html_purifier_filter.is_safe = True

Then in template

···
{{ post.content | markdown | purifier }}
···

It is not a long-term solution, but effective.

@raminfp
Copy link

raminfp commented Oct 4, 2016

Hi @phith0n

please use this : https://github.com/bartTC/django-markup

Thanks,

@phith0n
Copy link

phith0n commented Oct 4, 2016

@raminfp
e... django-markup used python-markdown, it doesn't seem to support extra 'code-friendly', so anything between underscores will be converted into italic or bold?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@flsf @RicterZ @phith0n @evi1m0 @raminfp