Fixes #7788: Improve XSS mitigation in Markdown renderer

docs/release-notes/version-3.0.md

@@ -17,6 +17,7 @@
 * [#7766](https://github.com/netbox-community/netbox/issues/7766) - Add missing outer dimension columns to rack table
 * [#7780](https://github.com/netbox-community/netbox/issues/7780) - Preserve multi-line values during CSV file import
 * [#7783](https://github.com/netbox-community/netbox/issues/7783) - Fix indentation of locations under site view
+* [#7788](https://github.com/netbox-community/netbox/issues/7788) - Improve XSS mitigation in Markdown renderer
 * [#7791](https://github.com/netbox-community/netbox/issues/7791) - Enable sorting device bays table by installed device status
 * [#7802](https://github.com/netbox-community/netbox/issues/7802) - Differentiate ID and VID columns in VLANs table
 

netbox/utilities/templatetags/helpers.py

@@ -40,14 +40,19 @@ def render_markdown(value):
     """
     Render text as Markdown
     """
+    schemes = '|'.join(settings.ALLOWED_URL_SCHEMES)
+
     # Strip HTML tags
     value = strip_tags(value)
 
     # Sanitize Markdown links
-    schemes = '|'.join(settings.ALLOWED_URL_SCHEMES)
+    pattern = fr'\[([^\]]+)\]\((?!({schemes})).*:(.+)\)'
-    pattern = fr'\[(.+)\]\((?!({schemes})).*:(.+)\)'
     value = re.sub(pattern, '[\\1](\\3)', value, flags=re.IGNORECASE)
 
+    # Sanitize Markdown reference links
+    pattern = fr'\[(.+)\]:\w?(?!({schemes})).*:(.+)'
+    value = re.sub(pattern, '[\\1]: \\3', value, flags=re.IGNORECASE)
+
     # Render Markdown
     html = markdown(value, extensions=['fenced_code', 'tables'])