From 0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Fri, 26 Oct 2012 16:49:58 -0500
Subject: Enable safe mode for markdown parsing

Although we don't allow unauthenticated users to post content, we should
still cover our bases here and ensure people can't inject stuff into the
production website via an inadvertent XSS.

Signed-off-by: Dan McGee <dan@archlinux.org>
---
 templates/public/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'templates/public/index.html')

diff --git a/templates/public/index.html b/templates/public/index.html
index 000a527..762433a 100644
--- a/templates/public/index.html
+++ b/templates/public/index.html
@@ -53,8 +53,8 @@
     </h4>
     <p class="timestamp">{{ news.postdate|date }}</p>
     <div class="article-content">
-        {% if forloop.counter0 == 0 %}{{ news.content|markdown|truncatewords_html:300 }}
-        {% else %}{{ news.content|markdown|truncatewords_html:100 }}{% endif %}
+        {% if forloop.counter0 == 0 %}{{ news.content|markdown:'safe'|truncatewords_html:300 }}
+        {% else %}{{ news.content|markdown:'safe'|truncatewords_html:100 }}{% endif %}
     </div>
     {% else %}
     {% if forloop.counter0 == 5 %}
-- 
cgit v1.2.3-24-g4f1b