Before feeding the rendered Markdown to the template, we now pass it through Bleach so that unwanted tags are stripped away. I currently set it to use a very basic subset of tags (bold, italics, etc...) to prevent against any cross-site scripting attacks. It's enough to render 99% of use cases, but we can amend as needed.
Before feeding the rendered Markdown to the template, we now pass it through Bleach so that unwanted tags are stripped away. I currently set it to use a very basic subset of tags (bold, italics, etc...) to prevent against any cross-site scripting attacks. It's enough to render 99% of use cases, but we can amend as needed.