# HG changeset patch # User Mads Kiilerich # Date 2018-11-04 23:31:07 # Node ID 22c8f23cc75b388665fb92dd2fd89313d3a4f77f # Parent 475d54df23f5a37d4459216206a3ca2adcaaf6cf # Parent d85ce8c88f0d4ec001e444f1ca0802ff14ac831a Merge stable diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -67,3 +67,4 @@ a84d40e9481fcea4dafadee86b03f0dd401527d6 64ea7ea0923618a0c117acebb816a6f0d162bfdb 0.3.3 cf635c823ea059cc3a1581b82d8672e46b682384 0.3.4 4cca4cc6a0a97f4c4763317184cd41aca4297630 0.3.5 +082c9b8f0f17bd34740eb90c69bdc4c80d4b5b31 0.3.6 diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py --- a/kallithea/lib/base.py +++ b/kallithea/lib/base.py @@ -328,7 +328,7 @@ class BaseVCSController(object): Checks permissions using action (push/pull) user and repository name - :param action: push or pull action + :param action: 'push' or 'pull' action :param user: `User` instance :param repo_name: repository name """ diff --git a/kallithea/lib/markup_renderer.py b/kallithea/lib/markup_renderer.py --- a/kallithea/lib/markup_renderer.py +++ b/kallithea/lib/markup_renderer.py @@ -30,6 +30,9 @@ import re import logging import traceback +import markdown as markdown_mod +import bleach + from kallithea.lib.utils2 import safe_unicode, MENTIONS_REGEX log = logging.getLogger(__name__) @@ -138,17 +141,43 @@ class MarkupRenderer(object): @classmethod def markdown(cls, source, safe=True, flavored=False): + """ + Convert Markdown (possibly GitHub Flavored) to XSS safe HTML, possibly + with "safe" fall-back to plaintext. + + >>> MarkupRenderer.markdown('''''') + u'

' + >>> MarkupRenderer.markdown('''''') + u'

' + >>> MarkupRenderer.markdown('''foo''') + u'

foo

' + >>> MarkupRenderer.markdown('''''') + u'<script>alert(1)</script>' + >>> MarkupRenderer.markdown('''
yo
''') + u'
yo
' + >>> MarkupRenderer.markdown('''yo''') + u'

yo

' + """ source = safe_unicode(source) try: - import markdown as __markdown if flavored: source = cls._flavored_markdown(source) - return __markdown.markdown(source, + markdown_html = markdown_mod.markdown(source, extensions=['codehilite', 'extra'], extension_configs={'codehilite': {'css_class': 'code-highlight'}}) - except ImportError: - log.warning('Install markdown to use this function') - return cls.plain(source) + # Allow most HTML, while preventing XSS issues: + # no