Author: PaulM
Date: 2012-03-14 12:06:23 -0700 (Wed, 14 Mar 2012)
New Revision: 17735
Modified:
django/trunk/django/contrib/markup/templatetags/markup.py
django/trunk/django/contrib/markup/tests.py
django/trunk/docs/internals/deprecation.txt
django/trunk/docs/ref/contrib/markup.txt
django/trunk/docs/releases/1.4.txt
Log:
Fixed #17837. Improved markdown safety.
Markdown enable_attributes is now False when safe_mode is enabled. Documented
the markdown "safe" argument. Added warnings when the safe argument is
passed to versions of markdown which cannot be made safe. Deprecated
versions of markdown < 2.1. Many thanks to ptone for the patch.
Modified: django/trunk/django/contrib/markup/templatetags/markup.py
===================================================================
--- django/trunk/django/contrib/markup/templatetags/markup.py 2012-03-14
18:51:20 UTC (rev 17734)
+++ django/trunk/django/contrib/markup/templatetags/markup.py 2012-03-14
19:06:23 UTC (rev 17735)
@@ -11,6 +11,8 @@
* reStructuredText, which requires docutils from http://docutils.sf.net/
"""
+import warnings
+
from django import template
from django.conf import settings
from django.utils.encoding import smart_str, force_unicode
@@ -63,14 +65,25 @@
safe_mode = True
else:
safe_mode = False
-
+ python_markdown_deprecation = "The use of Python-Markdown "
+ "< 2.1 in Django is deprecated; please update to the current
version"
# Unicode support only in markdown v1.7 or above. Version_info
# exist only in markdown v1.6.2rc-2 or above.
- if getattr(markdown, "version_info", None) < (1,7):
+ markdown_vers = getattr(markdown, "version_info", None)
+ if markdown_vers < (1,7):
+ warnings.warn(python_markdown_deprecation, DeprecationWarning)
return
mark_safe(force_unicode(markdown.markdown(smart_str(value), extensions,
safe_mode=safe_mode)))
else:
- return mark_safe(markdown.markdown(force_unicode(value),
extensions, safe_mode=safe_mode))
+ if markdown_vers >= (2,1):
+ if safe_mode:
+ return
mark_safe(markdown.markdown(force_unicode(value), extensions,
safe_mode=safe_mode, enable_attributes=False))
+ else:
+ return
mark_safe(markdown.markdown(force_unicode(value), extensions,
safe_mode=safe_mode))
+ else:
+ warnings.warn(python_markdown_deprecation,
DeprecationWarning)
+ return mark_safe(markdown.markdown(force_unicode(value),
extensions, safe_mode=safe_mode))
else:
+ warnings.warn(python_markdown_deprecation, DeprecationWarning)
return
mark_safe(force_unicode(markdown.markdown(smart_str(value))))
@register.filter(is_safe=True)
Modified: django/trunk/django/contrib/markup/tests.py
===================================================================
--- django/trunk/django/contrib/markup/tests.py 2012-03-14 18:51:20 UTC (rev
17734)
+++ django/trunk/django/contrib/markup/tests.py 2012-03-14 19:06:23 UTC (rev
17735)
@@ -58,6 +58,20 @@
pattern = re.compile("""<p>Paragraph 1\s*</p>\s*<h2>\s*An h2</h2>""")
self.assertTrue(pattern.match(rendered))
+ @unittest.skipUnless(markdown, 'markdown no installed')
+ def test_markdown_attribute_disable(self):
+ t = Template("{% load markup %}{{ markdown_content|markdown:'safe' }}")
+ markdown_content = "{@onclick=alert('hi')}some paragraph"
+ rendered =
t.render(Context({'markdown_content':markdown_content})).strip()
+ self.assertTrue('@' in rendered)
+
+ @unittest.skipUnless(markdown, 'markdown no installed')
+ def test_markdown_attribute_enable(self):
+ t = Template("{% load markup %}{{ markdown_content|markdown }}")
+ markdown_content = "{@onclick=alert('hi')}some paragraph"
+ rendered =
t.render(Context({'markdown_content':markdown_content})).strip()
+ self.assertFalse('@' in rendered)
+
@unittest.skipIf(markdown, 'markdown is installed')
def test_no_markdown(self):
t = Template("{% load markup %}{{ markdown_content|markdown }}")
Modified: django/trunk/docs/internals/deprecation.txt
===================================================================
--- django/trunk/docs/internals/deprecation.txt 2012-03-14 18:51:20 UTC (rev
17734)
+++ django/trunk/docs/internals/deprecation.txt 2012-03-14 19:06:23 UTC (rev
17735)
@@ -196,6 +196,11 @@
filesystem path to a ``locale`` directory containing non-app-specific
translations in its value.
+* The Markup contrib app will no longer support versions of Python-Markdown
+ library earlier than 2.1. An accelerated timeline was used as this was
+ a security related deprecation.
+
+
1.6
---
Modified: django/trunk/docs/ref/contrib/markup.txt
===================================================================
--- django/trunk/docs/ref/contrib/markup.txt 2012-03-14 18:51:20 UTC (rev
17734)
+++ django/trunk/docs/ref/contrib/markup.txt 2012-03-14 19:06:23 UTC (rev
17735)
@@ -47,3 +47,19 @@
settings`_ for details on what these settings are.
.. _restructuredtext writer settings:
http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
+
+Markdown
+--------
+
+The Python Markdown library supports options named "safe_mode" and
+"enable_attributes". Both relate to the security of the output. To enable both
+options in tandem, the markdown filter supports the "safe" argument.
+
+ {{ markdown_content_var|markdown:"safe" }}
+
+.. warning::
+
+ Versions of the Python-Markdown library prior to 2.1 do not support the
+ optional disabling of attributes and by default they will be included in
+ any output from the markdown filter - a warning is issued if this is the
+ case.
Modified: django/trunk/docs/releases/1.4.txt
===================================================================
--- django/trunk/docs/releases/1.4.txt 2012-03-14 18:51:20 UTC (rev 17734)
+++ django/trunk/docs/releases/1.4.txt 2012-03-14 19:06:23 UTC (rev 17735)
@@ -1096,7 +1096,17 @@
incomplete fixtures will fail. Because fixtures are a raw import, they should
explicitly specify all field values, regardless of field options on the model.
+Attributes disabled in markdown when safe mode set
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Prior to Django 1.4, attributes were included in any markdown output regardless
+of safe mode setting of the filter. With version > 2.1 of the Python-Markdown
+library, an enable_attributes option was added. When the safe argument is
+passed to the markdown filter, both the ``safe_mode=True`` and
+``enable_attributes=False`` options are set. If using a version of the
+Python-Markdown library less than 2.1, a warning is issued that the output is
+insecure.
+
Features deprecated in 1.4
==========================
@@ -1262,3 +1272,12 @@
``items()`` method is doing, this may have a negative performance impact.
To mitigate the performance impact, consider using the :doc:`caching
framework </topics/cache>` within your ``Sitemap`` subclass.
+
+Versions of Python-Markdown earlier than 2.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Versions of Python-Markdown earlier than 2.1 do not support the option to
+disable attributes. As a security issue, earlier versions of this library will
+not be supported by the markup contrib app in 1.5 under an accelerated
+deprecation timeline.
+
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
