From 0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Fri, 26 Oct 2012 16:49:58 -0500 Subject: Enable safe mode for markdown parsing Although we don't allow unauthenticated users to post content, we should still cover our bases here and ensure people can't inject stuff into the production website via an inadvertent XSS. Signed-off-by: Dan McGee --- templates/feeds/news_description.html | 2 +- templates/news/view.html | 2 +- templates/public/index.html | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'templates') diff --git a/templates/feeds/news_description.html b/templates/feeds/news_description.html index e75d0af7..77830367 100644 --- a/templates/feeds/news_description.html +++ b/templates/feeds/news_description.html @@ -1,3 +1,3 @@ {% load markup %}

{{obj.author.get_full_name}} wrote:

-{{ obj.content|markdown }} \ No newline at end of file +{{ obj.content|markdown:'safe' }} diff --git a/templates/news/view.html b/templates/news/view.html index 445f0398..b6c06b28 100644 --- a/templates/news/view.html +++ b/templates/news/view.html @@ -28,6 +28,6 @@

{{ news.postdate|date }} - {{ news.author.get_full_name }}

-
{{ news.content|markdown }}
+
{{ news.content|markdown:'safe' }}
{% endblock %} diff --git a/templates/public/index.html b/templates/public/index.html index 000a527b..762433a4 100644 --- a/templates/public/index.html +++ b/templates/public/index.html @@ -53,8 +53,8 @@

{{ news.postdate|date }}

- {% if forloop.counter0 == 0 %}{{ news.content|markdown|truncatewords_html:300 }} - {% else %}{{ news.content|markdown|truncatewords_html:100 }}{% endif %} + {% if forloop.counter0 == 0 %}{{ news.content|markdown:'safe'|truncatewords_html:300 }} + {% else %}{{ news.content|markdown:'safe'|truncatewords_html:100 }}{% endif %}
{% else %} {% if forloop.counter0 == 5 %} -- cgit v1.2.3-55-g3dc8