Use a form to clean input Markdown data

netbox/extras/forms/__init__.py

@@ -2,6 +2,7 @@ from .model_forms import *
 from .filtersets import *
 from .bulk_edit import *
 from .bulk_import import *
+from .misc import *
 from .mixins import *
 from .config import *
 from .scripts import *

netbox/extras/forms/misc.py

@@ -0,0 +1,14 @@
+from django import forms
+
+__all__ = (
+    'RenderMarkdownForm',
+)
+
+
+class RenderMarkdownForm(forms.Form):
+    """
+    Provides basic validation for markup to be rendered.
+    """
+    text = forms.CharField(
+        required=False
+    )

netbox/extras/urls.py

@@ -93,5 +93,5 @@ urlpatterns = [
     re_path(r'^scripts/(?P<module>.([^.]+)).(?P<name>.(.+))/', views.ScriptView.as_view(), name='script'),
 
     # Markdown
-    path('render/markdown/', views.MarkdownRenderView.as_view(), name="render_markdown")
+    path('render/markdown/', views.RenderMarkdownView.as_view(), name="render_markdown")
 ]

netbox/extras/views.py

@@ -1,7 +1,7 @@
 from django.contrib import messages
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Count, Q
-from django.http import Http404, HttpResponseForbidden, HttpResponse
+from django.http import Http404, HttpResponseBadRequest, HttpResponseForbidden, HttpResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.views.generic import View
@@ -892,8 +892,12 @@ class JobResultBulkDeleteView(generic.BulkDeleteView):
 # Markdown
 #
 
-class MarkdownRenderView(View):
+class RenderMarkdownView(View):
+
     def post(self, request):
-        raw = request.POST.get("text", "").strip()
-        rendered = render_markdown(raw)
+        form = forms.RenderMarkdownForm(request.POST)
+        if not form.is_valid():
+            HttpResponseBadRequest()
+        rendered = render_markdown(form.cleaned_data['text'])
+
         return HttpResponse(rendered)