diff options
| author | Dan McGee <dan@archlinux.org> | 2012-10-26 23:49:58 +0200 |
|---|---|---|
| committer | Dan McGee <dan@archlinux.org> | 2012-10-26 23:50:00 +0200 |
| commit | 0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad (patch) | |
| tree | cae2a43c21d99f236a235863ee98f76775fb78c9 | |
| parent | 520066075938d325f93f814f92bb6005d00833c8 (diff) | |
| download | archweb-0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad.tar.gz archweb-0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad.tar.xz | |
Enable safe mode for markdown parsing
Although we don't allow unauthenticated users to post content, we should
still cover our bases here and ensure people can't inject stuff into the
production website via an inadvertent XSS.
Signed-off-by: Dan McGee <dan@archlinux.org>
| -rw-r--r-- | news/views.py | 2 | ||||
| -rw-r--r-- | templates/feeds/news_description.html | 2 | ||||
| -rw-r--r-- | templates/news/view.html | 2 | ||||
| -rw-r--r-- | templates/public/index.html | 4 |
4 files changed, 5 insertions, 5 deletions
diff --git a/news/views.py b/news/views.py index 03f3b0a..c0230f1 100644 --- a/news/views.py +++ b/news/views.py @@ -76,7 +76,7 @@ def view_redirect(request, object_id): @require_POST def preview(request): data = request.POST.get('data', '') - markup = markdown.markdown(data) + markup = markdown.markdown(data, safe_mode=True) return HttpResponse(markup) # vim: set ts=4 sw=4 et: diff --git a/templates/feeds/news_description.html b/templates/feeds/news_description.html index e75d0af..7783036 100644 --- a/templates/feeds/news_description.html +++ b/templates/feeds/news_description.html @@ -1,3 +1,3 @@ {% load markup %} <p>{{obj.author.get_full_name}} wrote:</p> -{{ obj.content|markdown }}
\ No newline at end of file +{{ obj.content|markdown:'safe' }} diff --git a/templates/news/view.html b/templates/news/view.html index 445f039..b6c06b2 100644 --- a/templates/news/view.html +++ b/templates/news/view.html @@ -28,6 +28,6 @@ <p class="article-info">{{ news.postdate|date }} - {{ news.author.get_full_name }}</p> - <div class="article-content" itemprop="articleBody">{{ news.content|markdown }}</div> + <div class="article-content" itemprop="articleBody">{{ news.content|markdown:'safe' }}</div> </div> {% endblock %} diff --git a/templates/public/index.html b/templates/public/index.html index 000a527..762433a 100644 --- a/templates/public/index.html +++ b/templates/public/index.html @@ -53,8 +53,8 @@ </h4> <p class="timestamp">{{ news.postdate|date }}</p> <div class="article-content"> - {% if forloop.counter0 == 0 %}{{ news.content|markdown|truncatewords_html:300 }} - {% else %}{{ news.content|markdown|truncatewords_html:100 }}{% endif %} + {% if forloop.counter0 == 0 %}{{ news.content|markdown:'safe'|truncatewords_html:300 }} + {% else %}{{ news.content|markdown:'safe'|truncatewords_html:100 }}{% endif %} </div> {% else %} {% if forloop.counter0 == 5 %} |