Skip to content

Fixes #9108 & #8944 - Sanitize HTML after rendering markdown #9522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 20, 2022
Merged

Fixes #9108 & #8944 - Sanitize HTML after rendering markdown #9522

merged 1 commit into from
Jun 20, 2022

Conversation

@kkthxbye-code
Copy link
Contributor

@kkthxbye-code kkthxbye-code commented Jun 11, 2022

Fixes: #9108 and #8944

This PR removes the stripping of all HTML tags and the workarounds for sanitizing markdown links. Instead the HTML output of python-markdown is sanitized using bleach. The result is a more correct handling of markdown (HTML is explicitly allowed in the markdown spec) while still preventing user defined HTML that might result in XSS, by sanitizing with a whitelist approach.

From a little unscientific testing of a journal page with extreme markdown usage, the performance penalty is very slight (2-5% of total page load time).

I targeted this at the feature branch as a new dependency is added, not sure if that is correct. If it's not I'll change the target branch.

@kkthxbye-code
Copy link
Contributor Author

kkthxbye-code commented Jun 13, 2022

Should also fix #8230 which was auto closed.

@jeremystretch
Copy link
Member

jeremystretch commented Jun 17, 2022
edited
Loading

Thanks for digging into this @kkthxbye-code! I had a feeling the eventual fallback to bleach was inevitable.

I targeted this at the feature branch as a new dependency is added, not sure if that is correct. If it's not I'll change the target branch.

IMO it's fine to push this in the next patch release, since it's not a breaking change.

@jeremystretch jeremystretch changed the base branch from feature to develop June 17, 2022 17:26
@jeremystretch jeremystretch changed the base branch from develop to feature June 17, 2022 17:27
@kkthxbye-code kkthxbye-code changed the base branch from feature to develop June 17, 2022 17:28
@kkthxbye-code
Copy link
Contributor Author

kkthxbye-code commented Jun 17, 2022

I think it should be good now @jeremystretch - I'll never learn rebasing properly, always seems like a huge mess.

@jeremystretch
Copy link
Member

jeremystretch commented Jun 20, 2022

git

@jeremystretch jeremystretch merged commit 872c115 into netbox-community:develop Jun 20, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremystretch jeremystretch Awaiting requested review from jeremystretch

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Markdown syntax not working correctly within comment fields

2 participants

@kkthxbye-code @jeremystretch