#17837: Markdown filter "safe" mode is vulnerable to e.g. 'onclick' attributes
-------------------------------------+-------------------------------------
Reporter: nomulous | Owner: nobody
Type: Bug | Status: closed
Component: contrib.markup | Version: SVN
Severity: Release blocker | Resolution: fixed
Keywords: javascript, | Triage Stage: Accepted
injection, xss, markdown | Needs documentation: 0
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by PaulM):
* status: new => closed
* resolution: => fixed
Comment:
In [17734]:
{{{
#!CommitTicketReference repository="" revision="17734"
[1.3.X] Fixed #17837. Improved markdown safety.
Markdown enable_attributes is now False when safe_mode is enabled.
Documented
the markdown "safe" argument. Added warnings when the safe argument is
passed to versions of markdown which cannot be made safe.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/17837#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
