diff options
author | Dan McGee <dan@archlinux.org> | 2012-10-26 23:49:58 +0200 |
---|---|---|
committer | Dan McGee <dan@archlinux.org> | 2012-10-26 23:50:00 +0200 |
commit | 0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad (patch) | |
tree | cae2a43c21d99f236a235863ee98f76775fb78c9 /templates/public/index.html | |
parent | 520066075938d325f93f814f92bb6005d00833c8 (diff) | |
download | archweb-0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad.tar.gz archweb-0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad.tar.xz |
Enable safe mode for markdown parsing
Although we don't allow unauthenticated users to post content, we should
still cover our bases here and ensure people can't inject stuff into the
production website via an inadvertent XSS.
Signed-off-by: Dan McGee <dan@archlinux.org>
Diffstat (limited to 'templates/public/index.html')
-rw-r--r-- | templates/public/index.html | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/templates/public/index.html b/templates/public/index.html index 000a527..762433a 100644 --- a/templates/public/index.html +++ b/templates/public/index.html @@ -53,8 +53,8 @@ </h4> <p class="timestamp">{{ news.postdate|date }}</p> <div class="article-content"> - {% if forloop.counter0 == 0 %}{{ news.content|markdown|truncatewords_html:300 }} - {% else %}{{ news.content|markdown|truncatewords_html:100 }}{% endif %} + {% if forloop.counter0 == 0 %}{{ news.content|markdown:'safe'|truncatewords_html:300 }} + {% else %}{{ news.content|markdown:'safe'|truncatewords_html:100 }}{% endif %} </div> {% else %} {% if forloop.counter0 == 5 %} |