Merge ~cjwatson/launchpad:markdown-bleach into launchpad:master
Proposed by
Colin Watson
| Status: | Merged |
|---|---|
| Approved by: | Colin Watson |
| Approved revision: | f49c43c959abf9b2c6807a5d10c48167689f1cb8 |
| Merge reported by: | Otto Co-Pilot |
| Merged at revision: | not available |
| Proposed branch: | ~cjwatson/launchpad:markdown-bleach |
| Merge into: | launchpad:master |
| Diff against target: |
191 lines (+83/-15) 4 files modified
lib/lp/app/browser/stringformatter.py (+25/-7) lib/lp/app/browser/tests/test_stringformatter.py (+54/-6) requirements/launchpad.txt (+2/-1) setup.cfg (+2/-1) |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Andrey Fedoseev (community) | Approve | ||
|
Review via email:
|
|||
Commit message
Upgrade Markdown and sanitize its output using bleach
Description of the change
This makes a start at reviving the old experiment to allow user-supplied Markdown. `safe_mode` is deprecated, so use `bleach` to sanitize the resulting HTML instead (important to avoid trivial XSS attacks), and also add the `fenced_code` extension since that looks like something we're likely to want.
As per the linked bug, there are a number of things still to fix, and this is still behind a feature flag.
Dependencies MP: https:/
To post a comment you must log in.
Revision history for this message
| Colin Watson (cjwatson) wrote | # |
There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
This looks good.
Shall we add some tests to confirm that the malicious code is escaped, or do we have them already?