id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13980	The markdown template tag in django.contrib.markup should escape preexisting HTML, as its output is marked as safe	Fletcher Tomalty	nobody	"I'm not sure about the other markup options, but Markdown itself should definitely not be marked as safe. You can easily render <script type=""text/javascript"">alert('pwned')</script> with Markdown, and with that is_safe = True there, the HTML will not be escaped."		closed	Contrib apps	1.2		invalid	markup, markdown, safe, escape		Unreviewed	1	0	0	0	0	0