hotfix: XSS issues #173 #182

README.md

@@ -34,6 +34,7 @@
 * `Django>=3.2`
 * `Markdown>=3.0`
 * `requests>=2.12.4`
+* `bleach`
 
 
 ### Installation
@@ -155,6 +156,21 @@ ALLOWED_URL_SCHEMES = [
     "file", "ftp", "ftps", "http", "https", "irc", "mailto",
     "sftp", "ssh", "tel", "telnet", "tftp", "vnc", "xmpp",
 ]
+
+# https://gist.github.com/mrmrs/7650266
+ALLOWED_HTML_TAGS = [
+    "a", "abbr", "b", "blockquote", "br", "cite", "code", "command",
+    "dd", "del", "dl", "dt", "em", "fieldset", "h1", "h2", "h3", "h4", "h5", "h6",
+    "hr", "i", "iframe", "img", "input", "ins", "kbd", "label", "legend",
+    "li", "ol", "optgroup", "option", "p", "pre", "small", "span", "strong",
+    "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "u", "ul"
+]
+
+ALLOWED_HTML_ATTRIBUTES = [
+    "alt", "class", "color", "colspan", "datetime",  # "data",
+    "height", "href", "id", "name", "reversed", "rowspan",
+    "scope", "src", "style", "title", "type", "width"
+]
 ```
 
 Check this setting is not set else csrf will not be sent over ajax calls:

martor/__init__.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-__VERSION__ = "1.6.14"
-__RELEASE_DATE__ = "04-Sep-2022"
+__VERSION__ = "1.6.15"
+__RELEASE_DATE__ = "18-Nov-2022"
 __AUTHOR__ = "Agus Makmun (Summon Agus)"
 __AUTHOR_EMAIL__ = "[email protected]"

martor/settings.py

@@ -138,3 +138,86 @@
         "xmpp",
     ],
 )
+
+# https://gist.github.com/mrmrs/7650266
+ALLOWED_HTML_TAGS = getattr(
+    settings,
+    "ALLOWED_HTML_TAGS",
+    [
+        "a",
+        "abbr",
+        "b",
+        "blockquote",
+        "br",
+        "cite",
+        "code",
+        "command",
+        "dd",
+        "del",
+        "dl",
+        "dt",
+        "em",
+        "fieldset",
+        "h1",
+        "h2",
+        "h3",
+        "h4",
+        "h5",
+        "h6",
+        "hr",
+        "i",
+        "iframe",
+        "img",
+        "input",
+        "ins",
+        "kbd",
+        "label",
+        "legend",
+        "li",
+        "ol",
+        "optgroup",
+        "option",
+        "p",
+        "pre",
+        "small",
+        "span",
+        "strong",
+        "sub",
+        "sup",
+        "table",
+        "tbody",
+        "td",
+        "tfoot",
+        "th",
+        "thead",
+        "tr",
+        "u",
+        "ul",
+    ],
+)
+
+# https://github.com/decal/werdlists/blob/master/html-words/html-attributes-list.txt
+ALLOWED_HTML_ATTRIBUTES = getattr(
+    settings,
+    "ALLOWED_HTML_ATTRIBUTES",
+    [
+        "alt",
+        "class",
+        "color",
+        "colspan",
+        # "data",
+        "datetime",
+        "height",
+        "href",
+        "id",
+        "name",
+        "reversed",
+        "rowspan",
+        "scope",
+        "src",
+        "style",
+        "title",
+        "type",
+        "width",
+    ],
+)

martor/static/martor/js/martor.bootstrap.js

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.14
+ * Name         : Martor v1.6.15
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 04-Sep-2022
+ * Release date : 18-Nov-2022
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/static/martor/js/martor.semantic.js

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.14
+ * Name         : Martor v1.6.15
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 04-Sep-2022
+ * Release date : 18-Nov-2022
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/tests/tests.py

@@ -82,6 +82,15 @@ def test_markdownify_xss_handled(self):
         response_1 = markdownify(xss_payload_1)
         self.assertEqual(response_1, '<p><a href=":">aaaa</a></p>')
 
-        # xss_payload_2 = "![\" onerror=alert(1) ](x)"
-        # response_2 = markdownify(xss_payload_2)
-        # self.assertEqual(response_2, '')
+        xss_payload_2 = '![" onerror=alert(1) ](x)'
+        response_2 = markdownify(xss_payload_2)
+        self.assertEqual(
+            response_2, '<p><img alt="&quot; onerror=alert(1) " src="x"></p>'
+        )
+
+        xss_payload_3 = '[xss](" onmouseover=alert(document.domain) l)'
+        response_3 = markdownify(xss_payload_3)
+        self.assertEqual(
+            response_3,
+            '<p><a href="&quot; onmouseover=alert(document.domain)">xss</a>)</p>',  # noqa: E501
+        )

martor/utils.py

@@ -1,6 +1,9 @@
 import re
+import bleach
 
 from django.utils.functional import Promise
+from django.utils.html import format_html
+from django.utils.safestring import mark_safe
 from django.core.serializers.json import DjangoJSONEncoder
 
 try:
@@ -13,6 +16,8 @@
     MARTOR_MARKDOWN_EXTENSIONS,
     MARTOR_MARKDOWN_EXTENSION_CONFIGS,
     ALLOWED_URL_SCHEMES,
+    ALLOWED_HTML_TAGS,
+    ALLOWED_HTML_ATTRIBUTES,
 )
 
 
@@ -38,12 +43,22 @@ def markdownify(markdown_text):
         flags=re.IGNORECASE,
     )
 
-    return markdown.markdown(
+    html = markdown.markdown(
         markdown_text,
         extensions=MARTOR_MARKDOWN_EXTENSIONS,
         extension_configs=MARTOR_MARKDOWN_EXTENSION_CONFIGS,
         output_format="html5",
     )
+    return format_html(
+        mark_safe(
+            bleach.clean(
+                html,
+                tags=ALLOWED_HTML_TAGS,
+                attributes=ALLOWED_HTML_ATTRIBUTES,
+                protocols=ALLOWED_URL_SCHEMES,
+            )
+        )
+    )
 
 
 class LazyEncoder(DjangoJSONEncoder):

requirements.txt

@@ -1,3 +1,4 @@
-Django
+Django>=3.2
 Markdown==3.3.4
 requests
+bleach