Mark 3.4.3 (#2063)

# 3.4.3 / 2022-03-07

**Security**

- Bump cmarkgfm to 0.8.0 to resolve CVE-2022-24724. Copied entry from 3.4.2 since 3.4.2 introduced a bug that prevented writing raw HTML.

**General**

- Fix issue where raw HTML would not be rendered in markdown

CHANGELOG.md

@@ -1,3 +1,13 @@
+# 3.4.3 / 2022-03-07
+
+**Security**
+
+- Bump cmarkgfm to 0.8.0 to resolve CVE-2022-24724. Copied entry from 3.4.2 since 3.4.2 introduced a bug that prevented writing raw HTML.
+
+**General**
+
+- Fix issue where raw HTML would not be rendered in markdown
+
 # 3.4.2 / 2022-03-07
 
 **Security**

CTFd/__init__.py

@@ -29,7 +29,7 @@
 from CTFd.utils.sessions import CachingSessionInterface
 from CTFd.utils.updates import update_check
 
-__version__ = "3.4.2"
+__version__ = "3.4.3"
 __channel__ = "oss"
 
 

CTFd/utils/__init__.py

@@ -1,6 +1,7 @@
 from enum import Enum
 
 import cmarkgfm
+from cmarkgfm.cmark import Options
 from flask import current_app as app
 
 # isort:imports-firstparty
@@ -14,7 +15,9 @@
 
 def markdown(md):
     return cmarkgfm.markdown_to_html_with_extensions(
-        md, extensions=["autolink", "table", "strikethrough"]
+        md,
+        extensions=["autolink", "table", "strikethrough"],
+        options=Options.CMARK_OPT_UNSAFE,
     )
 
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ctfd",
-  "version": "3.4.2",
+  "version": "3.4.3",
   "description": "CTFd is a Capture The Flag framework focusing on ease of use and customizability. It comes with everything you need to run a CTF and it's easy to customize with plugins and themes.",
   "main": "index.js",
   "directories": {

tests/utils/test_markdown.py

@@ -0,0 +1,12 @@
+from CTFd.utils import markdown
+
+
+def test_markdown():
+    """
+    Test that our markdown function renders properly
+    """
+    # Allow raw HTML / potentially unsafe HTML
+    assert (
+        markdown("<iframe src='https://example.com'></iframe>").strip()
+        == "<iframe src='https://example.com'></iframe>"
+    )