Markdown filter "safe" mode is vulnerable to e.g. 'onclick' attributes
|Reported by:||nomulous||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The Python markdown library used by Django has syntax like this, which is obviously a JS injection vulnerability:
Somehow, Python-markdown's safe mode still allows this, and thus, Django does too. Since this "safe" mode is what developers are expected to use to render user input, this is a pretty significant security issue.
I have opened a ticket for Python-markdown here: https://github.com/waylan/Python-Markdown/issues/82
Newer versions of Python-markdown have an "enable_attributes" argument that you can pass, while older versions have a constant "ENABLE_ATTRIBUTES" that is declared at the module level. I'm not sure what the best way to fix this in Django directly would be.
Change History (11)
comment:1 Changed 2 years ago by carljm
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Accepted