Ticket #17837: markdown-safe-backport.diff

File markdown-safe-backport.diff, 4.2 KB (added by Preston Holmes, 11 years ago)

for 1.3.X branch

  • django/contrib/markup/templatetags/markup.py

    diff --git a/django/contrib/markup/templatetags/markup.py b/django/contrib/markup/templatetags/markup.py
    index 7cdc04c..66cb12b 100644
    a b markup syntaxes to HTML; currently there is support for: 
    1111    * reStructuredText, which requires docutils from http://docutils.sf.net/
    1212"""
    1313
     14import warnings
     15
    1416from django import template
    1517from django.conf import settings
    1618from django.utils.encoding import smart_str, force_unicode
    def markdown(value, arg=''): 
    6567
    6668            # Unicode support only in markdown v1.7 or above. Version_info
    6769            # exist only in markdown v1.6.2rc-2 or above.
    68             if getattr(markdown, "version_info", None) < (1,7):
     70            markdown_vers = getattr(markdown, "version_info", None)
     71            if markdown_vers < (1,7):
    6972                return mark_safe(force_unicode(markdown.markdown(smart_str(value), extensions, safe_mode=safe_mode)))
    7073            else:
    71                 return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
     74                if markdown_vers >= (2,1):
     75                    if safe_mode:
     76                        return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode, enable_attributes=False))
     77                    else:
     78                        return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
     79                else:
     80                    warnings.warn("Versions of markdown prior to 2.1 do not "
     81                            "support disabling of attributes, no "
     82                            "attributes have been removed and the result "
     83                            "is insecure.")
     84                    return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
    7285        else:
    7386            return mark_safe(force_unicode(markdown.markdown(smart_str(value))))
    7487markdown.is_safe = True
  • django/contrib/markup/tests.py

    diff --git a/django/contrib/markup/tests.py b/django/contrib/markup/tests.py
    index e97a7de..6903dd7 100644
    a b Paragraph 2 with a link_ 
    6060        pattern = re.compile("""<p>Paragraph 1\s*</p>\s*<h2>\s*An h2</h2>""")
    6161        self.assertTrue(pattern.match(rendered))
    6262
     63    @unittest.skipUnless(markdown, 'markdown no installed')
     64    def test_markdown_attribute_disable(self):
     65        t = Template("{% load markup %}{{ markdown_content|markdown:'safe' }}")
     66        markdown_content = "{@onclick=alert('hi')}some paragraph"
     67        rendered = t.render(Context({'markdown_content':markdown_content})).strip()
     68        self.assertTrue('@' in rendered)
     69
     70    @unittest.skipUnless(markdown, 'markdown no installed')
     71    def test_markdown_attribute_enable(self):
     72        t = Template("{% load markup %}{{ markdown_content|markdown }}")
     73        markdown_content = "{@onclick=alert('hi')}some paragraph"
     74        rendered = t.render(Context({'markdown_content':markdown_content})).strip()
     75        self.assertFalse('@' in rendered)
     76
    6377    @unittest.skipIf(markdown, 'markdown is installed')
    6478    def test_no_markdown(self):
    6579        t = Template("{{ markdown_content|markdown }}")
  • docs/ref/contrib/markup.txt

    diff --git a/docs/ref/contrib/markup.txt b/docs/ref/contrib/markup.txt
    index d5f07f5..a4480f6 100644
    a b override the default writer settings. See the `restructuredtext writer 
    4747settings`_ for details on what these settings are.
    4848
    4949.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
     50
     51Markdown
     52--------
     53
     54The Python Markdown library supports options named "safe_mode" and
     55"enable_attributes". Both relate to the security of the output. To enable both
     56options in tandem, the markdown filter supports the "safe" argument.
     57
     58    {{ markdown_content_var|markdown:"safe" }}
     59
     60.. warning::
     61
     62    Versions of the Python-Markdown library prior to 2.1 do not support the
     63    optional disabling of attributes and by default they will be included in
     64    any output from the markdown filter - a warning is issued if this is the
     65    case.
Back to Top