Markdown Security Patch

hknweb/events/templates/events/index.html

@@ -44,7 +44,7 @@
             // Events
             events: [{% for event in events %}
                 {
-                    title: "{{ event.name|safe }}",
+                    title: "{{ event.name }}",
                     start: '{{ event.start_time|date:"c" }}',
                     end: '{{ event.end_time|date:"c" }}',
                     url: '{{ event.id }}',

hknweb/events/utils.py

@@ -3,6 +3,9 @@
 from django import forms
 from django.core.validators import URLValidator
 
+from hknweb.utils import markdownify
+
+
 from .constants import (
     ATTR,
     DAY_ATTRIBUTE_NAME,
@@ -105,6 +108,7 @@ def get_access_level(user):
 
 def format_url(s: str, max_width: int=None) -> str:
     url_validator = URLValidator()
+    s = markdownify(s)
     try:
         url_validator(s)
         return "<a href='{link}' style='background-color: white'> {link} </a>".format(link=s)

hknweb/events/views.py

@@ -10,7 +10,7 @@
 from django.views.generic.edit import UpdateView
 from django.utils import timezone
 
-from markdownx.utils import markdownify
+from hknweb.utils import markdownify
 
 from hknweb.utils import (
     login_and_permission,

hknweb/markdown_pages/views.py

@@ -1,6 +1,6 @@
 from django.shortcuts import render, redirect, get_object_or_404
 from django.http import HttpResponseRedirect
-from markdownx.utils import markdownify
+from hknweb.utils import markdownify
 
 from .models import MarkdownPage
 from .forms import EditPageForm

hknweb/reviewsessions/templates/reviewsessions/index.html

@@ -44,7 +44,7 @@
             // Review sessions
             events: [{% for reviewsession in reviewsessions %}
                 {
-                    title: "{{ reviewsession.name|safe }}",
+                    title: "{{ reviewsession.name }}",
                     start: '{{ reviewsession.start_time|date:"c" }}',
                     end: '{{ reviewsession.end_time|date:"c" }}',
                     url: '{{ reviewsession.id }}',

hknweb/settings/common.py

@@ -16,7 +16,6 @@
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
-
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.0/howto/deployment/checklist/
 # Application definition
@@ -219,3 +218,44 @@
 INTERACTIVITIES_ATTRIBUTE_NAME = "interactivities"
 
 # Note: both candidate and officer group should have permission to add officer challenges
+
+# Markdown settings
+MARKDOWNX_MARKDOWNIFY_FUNCTION = 'hknweb.utils.markdownify'
+MARKDOWNIFY_STRIP = False
+
+## markdownify
+MARKDOWNIFY_WHITELIST_TAGS = [
+  'a',
+  'abbr',
+  'acronym',
+  'b',
+  'blockquote',
+  'em',
+  'i',
+  'li',
+  'ol',
+  'p',
+  'strong',
+  'ul',
+  'pre',
+  'code',
+  'img'
+]
+MARKDOWNIFY_WHITELIST_PROTOCOLS = [
+    'http',
+    'https',
+]
+MARKDOWNIFY_LINKIFY_PARSE_EMAIL = True
+MARKDOWNIFY_LINKIFY_SKIP_TAGS = ['pre', 'code', ]
+
+# Allowing certain Attributes that define the behavior
+#  of a Tag
+# Examples:
+#  -> <a href=...>, href is allowed here
+#  -> <img src="..." onload="...">), src is allowed here, but not onload
+MARKDOWNIFY_WHITELIST_ATTRS = [
+    'href',
+    'src',
+    'alt',
+    'class',
+]

hknweb/utils.py

@@ -10,6 +10,18 @@
 
 from pytz import timezone
 
+### For Markdownx Security Patch
+from functools import partial
+
+
+from django.conf import settings
+from django.utils.safestring import mark_safe
+
+import markdown
+import bleach
+###
+
+
 # constants
 
 DATETIME_12_HOUR_FORMAT = '%m/%d/%Y %I:%M %p'
@@ -80,3 +92,49 @@ def export_model_as_csv(model, queryset):
         writer.writerow([getattr(obj, field) for field in field_names])
 
     return response
+
+def markdownify(text):
+
+    # Bleach settings
+    whitelist_tags = getattr(settings, 'MARKDOWNIFY_WHITELIST_TAGS', bleach.sanitizer.ALLOWED_TAGS)
+    whitelist_attrs = getattr(settings, 'MARKDOWNIFY_WHITELIST_ATTRS', bleach.sanitizer.ALLOWED_ATTRIBUTES)
+    whitelist_styles = getattr(settings, 'MARKDOWNIFY_WHITELIST_STYLES', bleach.sanitizer.ALLOWED_STYLES)
+    whitelist_protocols = getattr(settings, 'MARKDOWNIFY_WHITELIST_PROTOCOLS', bleach.sanitizer.ALLOWED_PROTOCOLS)
+
+    # Markdown settings
+    strip = getattr(settings, 'MARKDOWNIFY_STRIP', True)
+    extensions = getattr(settings, 'MARKDOWNIFY_MARKDOWN_EXTENSIONS', [])
+
+    # Bleach Linkify
+    linkify = None
+    linkify_text = getattr(settings, 'MARKDOWNIFY_LINKIFY_TEXT', True)
+
+    if linkify_text:
+        linkify_parse_email = getattr(settings, 'MARKDOWNIFY_LINKIFY_PARSE_EMAIL', False)
+        linkify_callbacks = getattr(settings, 'MARKDOWNIFY_LINKIFY_CALLBACKS', None)
+        linkify_skip_tags = getattr(settings, 'MARKDOWNIFY_LINKIFY_SKIP_TAGS', None)
+        linkifyfilter = bleach.linkifier.LinkifyFilter
+
+        linkify = [partial(linkifyfilter,
+                callbacks=linkify_callbacks,
+                skip_tags=linkify_skip_tags,
+                parse_email=linkify_parse_email
+                )]
+
+    # Convert markdown to html
+    html = markdown.markdown(text, extensions=extensions)
+
+    # Sanitize html if wanted
+    if getattr(settings, 'MARKDOWNIFY_BLEACH', True):
+
+        cleaner = bleach.Cleaner(tags=whitelist_tags,
+                                 attributes=whitelist_attrs,
+                                 styles=whitelist_styles,
+                                 protocols=whitelist_protocols,
+                                 strip=strip,
+                                 filters=linkify,
+                                 )
+
+        html = cleaner.clean(html)
+
+    return mark_safe(html)

requirements.txt

@@ -3,6 +3,7 @@ mysqlclient==1.4.5
 whitenoise==4.1.1
 pillow==6.2.0
 django-markdownx==2.0.27
+bleach==3.2.1
 gunicorn==19.9.0
 fabric==2.4.0
 social-auth-app-django==3.1.0