django-markdown-deux icon indicating copy to clipboard operation
django-markdown-deux copied to clipboard

Published 20 hours ago verified publisher icon trentm

Django-markdown-deux XSS?

Open evi1m0 opened this issue 10 years ago • 9 comments 

[test](javascript:alert(1))

alert(1)

evi1m0 avatar Dec 21 '14 03:12 evi1m0

The sample of the patch: http://buzz.beebeeto.com/topic/5/

RicterZ avatar Dec 21 '14 04:12 RicterZ 

[[test](javascript:alert(1))](javascript:alert(1))

Bypass

evi1m0 avatar Dec 21 '14 04:12 evi1m0

@Evi1m0 WTF!

RicterZ avatar Dec 21 '14 04:12 RicterZ

23333333

flsf avatar Dec 21 '14 04:12 flsf

??? how to solve

phith0n avatar Oct 03 '16 19:10 phith0n

It seems that the project is no longer maintained. @phith0n

RicterZ avatar Oct 04 '16 01:10 RicterZ

I used python-xss-filter to render it again:

@register.filter(name="purifier")
def html_purifier_filter(value):
    parser = XssHtml()
    parser.feed(value)
    parser.close()
    return parser.getHtml()

html_purifier_filter.is_safe = True

Then in template

··· {{ post.content | markdown | purifier }} ···

It is not a long-term solution, but effective.

phith0n avatar Oct 04 '16 07:10 phith0n

Hi @phith0n

please use this : https://github.com/bartTC/django-markup

Thanks,

raminfp avatar Oct 04 '16 07:10 raminfp

@RaminFP e... django-markup used python-markdown, it doesn't seem to support extra 'code-friendly', so anything between underscores will be converted into italic or bold?

phith0n avatar Oct 04 '16 09:10 phith0n