summaryrefslogtreecommitdiffstats
path: root/templates
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2012-10-26 16:49:58 -0500
committerDan McGee <dan@archlinux.org>2012-10-26 16:50:00 -0500
commit0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad (patch)
treecae2a43c21d99f236a235863ee98f76775fb78c9 /templates
parent520066075938d325f93f814f92bb6005d00833c8 (diff)
downloadarchweb-0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad.tar.gz
archweb-0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad.zip
Enable safe mode for markdown parsing
Although we don't allow unauthenticated users to post content, we should still cover our bases here and ensure people can't inject stuff into the production website via an inadvertent XSS. Signed-off-by: Dan McGee <dan@archlinux.org>
Diffstat (limited to 'templates')
-rw-r--r--templates/feeds/news_description.html2
-rw-r--r--templates/news/view.html2
-rw-r--r--templates/public/index.html4
3 files changed, 4 insertions, 4 deletions
diff --git a/templates/feeds/news_description.html b/templates/feeds/news_description.html
index e75d0af7..77830367 100644
--- a/templates/feeds/news_description.html
+++ b/templates/feeds/news_description.html
@@ -1,3 +1,3 @@
{% load markup %}
<p>{{obj.author.get_full_name}} wrote:</p>
-{{ obj.content|markdown }} \ No newline at end of file
+{{ obj.content|markdown:'safe' }}
diff --git a/templates/news/view.html b/templates/news/view.html
index 445f0398..b6c06b28 100644
--- a/templates/news/view.html
+++ b/templates/news/view.html
@@ -28,6 +28,6 @@
<p class="article-info">{{ news.postdate|date }} - {{ news.author.get_full_name }}</p>
- <div class="article-content" itemprop="articleBody">{{ news.content|markdown }}</div>
+ <div class="article-content" itemprop="articleBody">{{ news.content|markdown:'safe' }}</div>
</div>
{% endblock %}
diff --git a/templates/public/index.html b/templates/public/index.html
index 000a527b..762433a4 100644
--- a/templates/public/index.html
+++ b/templates/public/index.html
@@ -53,8 +53,8 @@
</h4>
<p class="timestamp">{{ news.postdate|date }}</p>
<div class="article-content">
- {% if forloop.counter0 == 0 %}{{ news.content|markdown|truncatewords_html:300 }}
- {% else %}{{ news.content|markdown|truncatewords_html:100 }}{% endif %}
+ {% if forloop.counter0 == 0 %}{{ news.content|markdown:'safe'|truncatewords_html:300 }}
+ {% else %}{{ news.content|markdown:'safe'|truncatewords_html:100 }}{% endif %}
</div>
{% else %}
{% if forloop.counter0 == 5 %}