#13980: The markdown template tag in django.contrib.markup should escape
preexisting HTML, as its output is marked as safe
-----------------------------------+----------------------------------------
Reporter: nomulous | Owner: nobody
Status: new | Milestone:
Component: Contrib apps | Version: 1.2
Resolution: | Keywords: markup, markdown, safe,
escape
Stage: Unreviewed | Has_patch: 1
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
-----------------------------------+----------------------------------------
Changes (by nomulous):
* keywords: => markup, markdown, safe, escape
* needs_better_patch: 1 => 0
* summary: The markdown template tag in django.contrib.markup should not
be marked as safe output => The markdown
template tag in django.contrib.markup should
escape preexisting HTML, as its output is
marked as safe
Comment:
You're right. That was stupid of me.
But I was also wrong about the bug/security issue. Markdown would be
totally broken if we escaped its output (the user would just see HTML
code), so we obviously can't remove the is_safe = True line.
What should really be done is to actually escape the input before Markdown
processes it, and continue to mark it as safe output. We can do this using
django.utils.html.escape.
--
Ticket URL: <http://code.djangoproject.com/ticket/13980#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
