fix: XSS using javascript: URLs #167

Author: Agus Makmun

martor/__init__.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
 
-__VERSION__ = '1.6.7'
+__VERSION__ = '1.6.8'
 __AUTHOR__ = 'Agus Makmun (Summon Agus)'
 __AUTHOR_EMAIL__ = '[email protected]'

martor/settings.py

@@ -106,3 +106,9 @@
 MARTOR_ALTERNATIVE_JQUERY_JS_FILE = getattr(
     settings, 'MARTOR_ALTERNATIVE_JQUERY_JS_FILE', None
 )
+
+ALLOWED_URL_SCHEMES = getattr(
+    settings, 'ALLOWED_URL_SCHEMES',
+    ['file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto',
+     'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp']
+)

martor/static/martor/css/martor-admin.min.css

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.7
+ * Name         : Martor v1.6.8
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 19-Dec-2021
+ * Release date : 21-Dec-2021
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/static/martor/css/martor.bootstrap.min.css

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.7
+ * Name         : Martor v1.6.8
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 19-Dec-2021
+ * Release date : 21-Dec-2021
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/static/martor/css/martor.semantic.min.css

@@ -7,15 +7,15 @@
 
 
 @register.filter
-def safe_markdown(field_name):
+def safe_markdown(markdown_text):
     """
     Safe the markdown text as html ouput.
 
     Usage:
         {% load martortags %}
-        {{ field_name|safe_markdown }}
+        {{ markdown_text|safe_markdown }}
 
     Example:
         {{ post.description|safe_markdown }}
     """
-    return mark_safe(markdownify(field_name))
+    return mark_safe(markdownify(markdown_text))