||ThomasAH, ber, mschieder, ncoghlan, rouilj
I took a look at local_markdown.py, the commonmark spec and the python
implementation. My one concern is that raw html is passed through the
I wonder if this could be used for some form of attack using html/iframe
or possibly letting a <script> tag skip through. The latter would be
really bad as without the correct restrictions in place it would be
I think using local_replace to change < into < and > into >
before passing the resulting text to local_markdown will shortcut this
attack, but I am not positive.
However doing so will break markdown email links: <email@example.com>
for example. It may also have some other unwanted side effects.
I didn't see an obvious way to patch/modify the commonmark library
to neuter html and wrap it in <pre> blocks. Alternatively prevent
some tags (e.g. iframe, script) from being recognized as a block.
Maybe this can be done by modifying reHtmlBlockOpen, or monkey patching
a class may work. My python knowledge isn't good enough to say.
Also have you considered implementing a document preview mode to allow
web entry of commonmark to be tested before it is committed?
|2019-01-12 01:41:46||rouilj||set||messageid: <firstname.lastname@example.org>|
+ rouilj, ber, ThomasAH, ncoghlan, mschieder|
|2019-01-12 01:41:45||rouilj||link||issue2550856 messages|