Roundup Tracker - Issues


Author rouilj
Recipients ThomasAH, ber, mschieder, ncoghlan, rouilj
Date 2019-01-12.01:41:45
Message-id <>
Hi Magnus:

I took a look at, the commonmark spec and the python
implementation. My one concern is that raw html is passed through the

I wonder if this could be used for some form of attack using html/iframe
or possibly letting a <script> tag skip through. The latter would be
really bad as without the correct restrictions in place it would be

I think using local_replace to change < into &lt; and > into &gt;
before passing the resulting text to local_markdown will shortcut this
attack, but I am not positive.

However doing so will break markdown email links: <>
for example. It may also have some other unwanted side effects.

I didn't see an obvious way to patch/modify the commonmark library
to neuter html and wrap it in <pre> blocks. Alternatively prevent
some tags (e.g. iframe, script) from being recognized as a block.
Maybe this can be done by modifying reHtmlBlockOpen, or monkey patching
a class may work. My python knowledge isn't good enough to say.

Also have you considered implementing a document preview mode to allow
web entry of commonmark to be tested before it is committed?

-- rouilj
Date User Action Args
2019-01-12 01:41:46rouiljsetmessageid: <>
2019-01-12 01:41:45rouiljsetrecipients: + rouilj, ber, ThomasAH, ncoghlan, mschieder
2019-01-12 01:41:45rouiljlinkissue2550856 messages
2019-01-12 01:41:45rouiljcreate