Closes #3471: Disallow raw HTML in Markdown-rendered fields

CHANGELOG.md

@@ -11,6 +11,7 @@ v2.6.6 (FUTURE)
 
 * [#1941](https://github.com/netbox-community/netbox/issues/1941) - Add InfiniBand interface types
 * [#3259](https://github.com/netbox-community/netbox/issues/3259) - Add `rack` and `site` filters for cables
+* [#3471](https://github.com/netbox-community/netbox/issues/3471) - Disallow raw HTML in Markdown-rendered fields
 * [#3563](https://github.com/netbox-community/netbox/issues/3563) - Enable editing of individual DeviceType components
 * [#3580](https://github.com/netbox-community/netbox/issues/3580) - Render text and URL fields as textareas in the custom link form
 

netbox/utilities/templatetags/helpers.py

@@ -3,6 +3,7 @@ import json
 import re
 
 from django import template
+from django.utils.html import strip_tags
 from django.utils.safestring import mark_safe
 from markdown import markdown
 
@@ -58,7 +59,12 @@ def gfm(value):
     """
     Render text as GitHub-Flavored Markdown
     """
+    # Strip HTML tags
+    value = strip_tags(value)
+
+    # Render Markdown with GFM extension
     html = markdown(value, extensions=['mdx_gfm'])
+
     return mark_safe(html)