fixed issue #130 (add new EscapeHtml extension to handle the XSS vulnerabilities)

Author: agusmakmun

README.rst

@@ -137,9 +137,6 @@ to get ``IMGUR_CLIENT_ID`` and ``IMGUR_API_KEY``.
     MARTOR_IMGUR_CLIENT_ID = 'your-client-id'
     MARTOR_IMGUR_API_KEY   = 'your-api-key'
 
-    # Safe Mode
-    MARTOR_MARKDOWN_SAFE_MODE = True # default
-
     # Markdownify
     MARTOR_MARKDOWNIFY_FUNCTION = 'martor.utils.markdownify' # default
     MARTOR_MARKDOWNIFY_URL = '/martor/markdownify/' # default
@@ -153,10 +150,11 @@ to get ``IMGUR_CLIENT_ID`` and ``IMGUR_API_KEY``.
 
         # Custom markdown extensions.
         'martor.extensions.urlize',
-        'martor.extensions.del_ins',    # ~~strikethrough~~ and ++underscores++
-        'martor.extensions.mention',    # to parse markdown mention
-        'martor.extensions.emoji',      # to parse markdown emoji
-        'martor.extensions.mdx_video',  # to parse embed/iframe video
+        'martor.extensions.del_ins',      # ~~strikethrough~~ and ++underscores++
+        'martor.extensions.mention',      # to parse markdown mention
+        'martor.extensions.emoji',        # to parse markdown emoji
+        'martor.extensions.mdx_video',    # to parse embed/iframe video
+        'martor.extensions.escape_html',  # to handle the XSS vulnerabilities
     ]
 
     # Markdown Extensions Configs

martor/extensions/escape_html.py

@@ -0,0 +1,18 @@
+
+import markdown
+
+
+class EscapeHtml(markdown.Extension):
+
+    def extendMarkdown(self, md):
+        md.preprocessors.deregister('html_block')
+        md.inlinePatterns.deregister('html')
+
+
+def makeExtension(*args, **kwargs):
+    return EscapeHtml(*args, **kwargs)
+
+
+if __name__ == "__main__":
+    import doctest
+    doctest.testmod()

martor/settings.py

@@ -37,11 +37,6 @@
     settings, 'MARTOR_IMGUR_API_KEY', ''
 )
 
-# Safe Mode
-MARTOR_MARKDOWN_SAFE_MODE = getattr(
-    settings, 'MARTOR_MARKDOWN_SAFE_MODE', True
-)
-
 # Markdownify
 MARTOR_MARKDOWNIFY_FUNCTION = getattr(
     settings, 'MARTOR_MARKDOWNIFY_FUNCTION', 'martor.utils.markdownify'
@@ -60,10 +55,11 @@
 
         # Custom markdown extensions.
         'martor.extensions.urlize',
-        'martor.extensions.del_ins',    # ~~strikethrough~~ and ++underscores++
-        'martor.extensions.mention',    # to parse markdown mention
-        'martor.extensions.emoji',      # to parse markdown emoji
-        'martor.extensions.mdx_video',  # to parse embed/iframe video
+        'martor.extensions.del_ins',      # ~~strikethrough~~ and ++underscores++
+        'martor.extensions.mention',      # to parse markdown mention
+        'martor.extensions.emoji',        # to parse markdown emoji
+        'martor.extensions.mdx_video',    # to parse embed/iframe video
+        'martor.extensions.escape_html',  # to handle the XSS vulnerabilities
     ]
 )
 

martor/utils.py

@@ -4,7 +4,6 @@
 
 import markdown
 from .settings import (
-    MARTOR_MARKDOWN_SAFE_MODE,
     MARTOR_MARKDOWN_EXTENSIONS,
     MARTOR_MARKDOWN_EXTENSION_CONFIGS
 )
@@ -28,7 +27,6 @@ def markdownify(markdown_content):
     try:
         return markdown.markdown(
             markdown_content,
-            safe_mode=MARTOR_MARKDOWN_SAFE_MODE,
             extensions=MARTOR_MARKDOWN_EXTENSIONS,
             extension_configs=MARTOR_MARKDOWN_EXTENSION_CONFIGS
         )