From 738368a6a142eec8ae43899755fa2773a3177ff1 Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Wed, 9 Oct 2019 14:47:40 -0400 Subject: [PATCH] Closes #3471: Disallow raw HTML in Markdown-rendered fields --- CHANGELOG.md | 1 + netbox/utilities/templatetags/helpers.py | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ca874bea..993a89c3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ v2.6.6 (FUTURE) * [#1941](https://github.com/netbox-community/netbox/issues/1941) - Add InfiniBand interface types * [#3259](https://github.com/netbox-community/netbox/issues/3259) - Add `rack` and `site` filters for cables +* [#3471](https://github.com/netbox-community/netbox/issues/3471) - Disallow raw HTML in Markdown-rendered fields * [#3563](https://github.com/netbox-community/netbox/issues/3563) - Enable editing of individual DeviceType components * [#3580](https://github.com/netbox-community/netbox/issues/3580) - Render text and URL fields as textareas in the custom link form diff --git a/netbox/utilities/templatetags/helpers.py b/netbox/utilities/templatetags/helpers.py index e6616d888..7b1e059a6 100644 --- a/netbox/utilities/templatetags/helpers.py +++ b/netbox/utilities/templatetags/helpers.py @@ -3,6 +3,7 @@ import json import re from django import template +from django.utils.html import strip_tags from django.utils.safestring import mark_safe from markdown import markdown @@ -58,7 +59,12 @@ def gfm(value): """ Render text as GitHub-Flavored Markdown """ + # Strip HTML tags + value = strip_tags(value) + + # Render Markdown with GFM extension html = markdown(value, extensions=['mdx_gfm']) + return mark_safe(html)