none77087 / python-markdown2

Automatically exported from code.google.com/p/python-markdown2
0 stars 0 forks source link

safe_mode bypassed by links #51

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
>>> from markdown2 import Markdown
>>> m = Markdown(safe_mode='replace')
>>> m.convert("[evil][evil]\n[evil]: javascript:alert('evil');")
u'<p><a href="javascript:alert(\'evil\');">evil</a></p>\n'
>>> m.convert('![img](javascript:void\(0\);)')
u'<p><img src="javascript:void(0);" alt="img" /></p>\n'

As you can see, it's possible to execute javascript code via the the src & href 
attributes and maybe others. It would be good to have something like 
`is_safe_link` in Markdown's contructor:

  def is_safe_link(value):
    return value.startswith('http://') or value.startswith('#')

What version of the product are you using? On what operating system?

1.0.1.17

Original issue reported on code.google.com by he...@precheur.org on 19 Jan 2011 at 12:10

GoogleCodeExporter commented 8 years ago
Oops I forgot a the end:

  def is_safe_link(value):
    return value.startswith('http://' or value.startswith('#')
  m = Markdown(safe_mode='replace' is_safe_link=is_safe_link)

  >>> m.convert("[evil][evil]\n[evil]: javascript:alert('evil');")
  u'<p><a>evil</a></p>\n'

The result could be something else like 
u'<p>[HTML_REMOVED]evil[HTML_REMOVED]</p>\n'

Original comment by he...@precheur.org on 19 Jan 2011 at 12:15