Fixed #17837. Improved markdown safety.

Markdown enable_attributes is now False when safe_mode is enabled. Documented the markdown "safe" argument. Added warnings when the safe argument is passed to versions of markdown which cannot be made safe. Deprecated versions of markdown < 2.1. Many thanks to ptone for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17735 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-27 15:46:10 +00:00 · 2012-03-14 19:06:23 +00:00
parent eb9eaa6d71
commit 14df122f86
5 changed files with 70 additions and 3 deletions
--- a/django/contrib/markup/templatetags/markup.py
+++ b/django/contrib/markup/templatetags/markup.py
@@ -11,6 +11,8 @@ markup syntaxes to HTML; currently there is support for:
    * reStructuredText, which requires docutils from http://docutils.sf.net/
 """

+import warnings
+
 from django import template
 from django.conf import settings
 from django.utils.encoding import smart_str, force_unicode
@@ -63,14 +65,25 @@ def markdown(value, arg=''):
                safe_mode = True
            else:
                safe_mode = False
-
+            python_markdown_deprecation = "The use of Python-Markdown "
+            "< 2.1 in Django is deprecated; please update to the current version"
            # Unicode support only in markdown v1.7 or above. Version_info
            # exist only in markdown v1.6.2rc-2 or above.
-            if getattr(markdown, "version_info", None) < (1,7):
+            markdown_vers = getattr(markdown, "version_info", None)
+            if markdown_vers < (1,7):
+                warnings.warn(python_markdown_deprecation, DeprecationWarning)
                return mark_safe(force_unicode(markdown.markdown(smart_str(value), extensions, safe_mode=safe_mode)))
            else:
-                return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
+                if markdown_vers >= (2,1):
+                    if safe_mode:
+                        return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode, enable_attributes=False))
+                    else:
+                        return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
+                else:
+                    warnings.warn(python_markdown_deprecation, DeprecationWarning)
+                    return mark_safe(markdown.markdown(force_unicode(value), extensions, safe_mode=safe_mode))
        else:
+            warnings.warn(python_markdown_deprecation, DeprecationWarning)
            return mark_safe(force_unicode(markdown.markdown(smart_str(value))))

@register.filter(is_safe=True)
--- a/django/contrib/markup/tests.py
+++ b/django/contrib/markup/tests.py
@@ -58,6 +58,20 @@ Paragraph 2 with a link_
        pattern = re.compile("""<p>Paragraph 1\s*</p>\s*<h2>\s*An h2</h2>""")
        self.assertTrue(pattern.match(rendered))

+    @unittest.skipUnless(markdown, 'markdown no installed')
+    def test_markdown_attribute_disable(self):
+        t = Template("{% load markup %}{{ markdown_content|markdown:'safe' }}")
+        markdown_content = "{@onclick=alert('hi')}some paragraph"
+        rendered = t.render(Context({'markdown_content':markdown_content})).strip()
+        self.assertTrue('@' in rendered)
+
+    @unittest.skipUnless(markdown, 'markdown no installed')
+    def test_markdown_attribute_enable(self):
+        t = Template("{% load markup %}{{ markdown_content|markdown }}")
+        markdown_content = "{@onclick=alert('hi')}some paragraph"
+        rendered = t.render(Context({'markdown_content':markdown_content})).strip()
+        self.assertFalse('@' in rendered)
+
    @unittest.skipIf(markdown, 'markdown is installed')
    def test_no_markdown(self):
        t = Template("{% load markup %}{{ markdown_content|markdown }}")