Use bleach for HTML sanitization.

calc/utils.py

@@ -1,5 +1,8 @@
 from typing import Any, List, Iterable
 from django.contrib.auth.models import Permission
+from django.utils.text import SafeText
+from markdown import markdown
+import bleach
 
 
 def get_permissions_from_ns_codenames(ns_codenames):
@@ -60,3 +63,22 @@ def humanlist(items: Iterable[str], word: str='and') -> str:
     if len(itemlist) < 2:
         return ''.join(items)
     return ', '.join(itemlist[:-1]) + f', {word} ' + itemlist[-1]
+
+
+def markdown_to_sanitized_html(text: str) -> SafeText:
+    '''
+    Render the given untrusted Markdown to sanitized HTML.
+
+    Examples:
+
+       >>> markdown_to_sanitized_html('hello **there** *u*')
+       '<p>hello <strong>there</strong> <em>u</em></p>'
+
+       >>> markdown_to_sanitized_html('<script>meh</script>')
+       '&lt;script&gt;meh&lt;/script&gt;'
+    '''
+
+    return SafeText(bleach.clean(
+        markdown(text),
+        tags=['p', 'strong', 'em']
+    ))

contracts/models.py

@@ -1,14 +1,12 @@
 import re
-
 from datetime import datetime
 from decimal import Decimal
-
 from django.db import models, connection
 from django.contrib.auth.models import User
 from django.db.models.expressions import Value
 from django.contrib.postgres.search import SearchVectorField, SearchVector
-from django.utils.safestring import mark_safe
-import markdown
+
+from calc.utils import markdown_to_sanitized_html
 
 
 EDUCATION_CHOICES = (
@@ -565,7 +563,7 @@ def full_name(self):
 
     @property
     def description_html(self):
-        return mark_safe(markdown.markdown(self.description))  # nosec
+        return markdown_to_sanitized_html(self.description)
 
     def __str__(self):
         return self.full_name

requirements.txt

@@ -26,3 +26,4 @@ cg-django-uaa==1.3.0
 semantic_version==2.6.0
 coreapi==2.3.3
 django-uswds-forms==1.0.0
+bleach==2.1.3