id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
17837	"Markdown filter ""safe"" mode is vulnerable to e.g. 'onclick' attributes"	Fletcher Tomalty	nobody	"The Python markdown library used by Django has syntax like this, which is obviously a JS injection vulnerability:


{{{
{@onclick=alert(1)}paragraph
}}}

Somehow, Python-markdown's safe mode still allows this, and thus, Django does too. Since this ""safe""  mode is what developers are expected to use to render user input, this is a pretty significant security issue.

I have opened a ticket for Python-markdown here: https://github.com/waylan/Python-Markdown/issues/82

Newer versions of Python-markdown have an ""enable_attributes"" argument that you can pass, while older versions have a constant ""ENABLE_ATTRIBUTES"" that is declared at the module level. I'm not sure what the best way to fix this in Django directly would be."	Bug	closed	contrib.markup	dev	Release blocker	fixed	javascript, injection, xss, markdown	lemaire.adrien@…	Accepted	1	0	0	0	0	0