Ticket #17837: markdown-safe.diff

File markdown-safe.diff, 6.5 KB (added by Preston Holmes, 11 years ago)

patch for trunk

  • django/contrib/markup/templatetags/markup.py

    diff --git a/django/contrib/markup/templatetags/markup.py b/django/contrib/markup/templatetags/markup.py
    index a6b8dde..b9fdce8 100644
    a b markup syntaxes to HTML; currently there is support for: 
    1111    * reStructuredText, which requires docutils from http://docutils.sf.net/
    1212"""
    1313
     14import warnings
     15
    1416from django import template
    1517from django.conf import settings
    1618from django.utils.encoding import smart_str, force_unicode
    def markdown(value, arg=''): 
    6365                safe_mode = True
    6466            else:
    6567                safe_mode = False
    66 
     68            python_markdown_deprecation = "The use of Python-Markdown "
     69            "< 2.1 in Django is deprecated; please update to the current version"
    6770            # Unicode support only in markdown v1.7 or above. Version_info
    6871            # exist only in markdown v1.6.2rc-2 or above.
    69             if getattr(markdown, "version_info", None) < (1,7):
     72            markdown_vers = getattr(markdown, "version_info", None)
     73            if markdown_vers < (1,7):
     74                warnings.warn(python_markdown_deprecation, DeprecationWarning)
    7075                return mark_safe(force_unicode(markdown.markdown(smart_str(value), extensions, safe_mode=safe_mode)))
    7176            else:
    72                 return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
     77                if markdown_vers >= (2,1):
     78                    if safe_mode:
     79                        return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode, enable_attributes=False))
     80                    else:
     81                        return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
     82                else:
     83                    warnings.warn(python_markdown_deprecation, DeprecationWarning)
     84                    return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
    7385        else:
     86            warnings.warn(python_markdown_deprecation, DeprecationWarning)
    7487            return mark_safe(force_unicode(markdown.markdown(smart_str(value))))
    7588
    7689@register.filter(is_safe=True)
  • django/contrib/markup/tests.py

    diff --git a/django/contrib/markup/tests.py b/django/contrib/markup/tests.py
    index 2eb64d5..4539657 100644
    a b Paragraph 2 with a link_ 
    5858        pattern = re.compile("""<p>Paragraph 1\s*</p>\s*<h2>\s*An h2</h2>""")
    5959        self.assertTrue(pattern.match(rendered))
    6060
     61    @unittest.skipUnless(markdown, 'markdown no installed')
     62    def test_markdown_attribute_disable(self):
     63        t = Template("{% load markup %}{{ markdown_content|markdown:'safe' }}")
     64        markdown_content = "{@onclick=alert('hi')}some paragraph"
     65        rendered = t.render(Context({'markdown_content':markdown_content})).strip()
     66        self.assertTrue('@' in rendered)
     67
     68    @unittest.skipUnless(markdown, 'markdown no installed')
     69    def test_markdown_attribute_enable(self):
     70        t = Template("{% load markup %}{{ markdown_content|markdown }}")
     71        markdown_content = "{@onclick=alert('hi')}some paragraph"
     72        rendered = t.render(Context({'markdown_content':markdown_content})).strip()
     73        self.assertFalse('@' in rendered)
     74
    6175    @unittest.skipIf(markdown, 'markdown is installed')
    6276    def test_no_markdown(self):
    6377        t = Template("{% load markup %}{{ markdown_content|markdown }}")
  • docs/internals/deprecation.txt

    diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
    index cb91a1c..81ca7af 100644
    a b these changes. 
    196196  filesystem path to a ``locale`` directory containing non-app-specific
    197197  translations in its value.
    198198
     199* The Markup contrib app will no longer support versions of Python-Markdown
     200  library earlier than 2.1. An accelerated timeline was used as this was
     201  a security related deprecation.
     202
     203
    1992041.6
    200205---
    201206
  • docs/ref/contrib/markup.txt

    diff --git a/docs/ref/contrib/markup.txt b/docs/ref/contrib/markup.txt
    index d671e46..3abc27b 100644
    a b override the default writer settings. See the `restructuredtext writer 
    4747settings`_ for details on what these settings are.
    4848
    4949.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
     50
     51Markdown
     52--------
     53
     54The Python Markdown library supports options named "safe_mode" and
     55"enable_attributes". Both relate to the security of the output. To enable both
     56options in tandem, the markdown filter supports the "safe" argument.
     57
     58    {{ markdown_content_var|markdown:"safe" }}
     59
     60.. warning::
     61
     62    Versions of the Python-Markdown library prior to 2.1 do not support the
     63    optional disabling of attributes and by default they will be included in
     64    any output from the markdown filter - a warning is issued if this is the
     65    case.
  • docs/releases/1.4.txt

    diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
    index 1e3c603..cfaabff 100644
    a b The internals of the tag aren't part of the official stable API, but in the 
    10781078interests of full disclosure, the ``ExtendsNode.__init__`` definition has
    10791079changed, which may break any custom tags that use this class.
    10801080
     1081Attributes disabled in markdown when safe mode set
     1082~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1083
     1084Prior to Django 1.4, attributes were included in any markdown output regardless
     1085of safe mode setting of the filter. With version > 2.1 of the Python-Markdown
     1086library, an enable_attributes option was added. When the safe argument is
     1087passed to the markdown filter, both the ``safe_mode=True`` and
     1088``enable_attributes=False`` options are set. If using a version of the
     1089Python-Markdown library less than 2.1, a warning is issued that the output is
     1090insecure.
     1091
    10811092Features deprecated in 1.4
    10821093==========================
    10831094
    each request to a site map now creates a new Paginator object and calls the 
    12431254``items()`` method is doing, this may have a negative performance impact.
    12441255To mitigate the performance impact, consider using the :doc:`caching
    12451256framework </topics/cache>` within your ``Sitemap`` subclass.
     1257
     1258Versions of Python-Markdown earlier than 2.1
     1259~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     1260
     1261Versions of Python-Markdown earlier than 2.1 do not support the option to
     1262disable attributes. As a security issue, earlier versions of this library will
     1263not be supported by the markup contrib app in 1.5 under an accerlated
     1264deprecation timeline.
     1265
Back to Top