Merge ~cjwatson/launchpad:markdown-bleach into launchpad:master
Status: | Merged |
---|---|
Approved by: | Colin Watson |
Approved revision: | f49c43c959abf9b2c6807a5d10c48167689f1cb8 |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | ~cjwatson/launchpad:markdown-bleach |
Merge into: | launchpad:master |
Diff against target: |
191 lines (+83/-15) 4 files modified
lib/lp/app/browser/stringformatter.py (+25/-7) lib/lp/app/browser/tests/test_stringformatter.py (+54/-6) requirements/launchpad.txt (+2/-1) setup.cfg (+2/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andrey Fedoseev (community) | Approve | ||
Review via email: mp+425067@code.qastaging.launchpad.net |
Commit message
Upgrade Markdown and sanitize its output using bleach
Description of the change
This makes a start at reviving the old experiment to allow user-supplied Markdown. `safe_mode` is deprecated, so use `bleach` to sanitize the resulting HTML instead (important to avoid trivial XSS attacks), and also add the `fenced_code` extension since that looks like something we're likely to want.
As per the linked bug, there are a number of things still to fix, and this is still behind a feature flag.
Dependencies MP: https:/
There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.
This looks good.
Shall we add some tests to confirm that the malicious code is escaped, or do we have them already?