Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Safe mode *must* disallow attributes like "onload", "onclick" #82
Possibly by disabling attributes altogether (like
This is the mode that people are expected to use when rendering user input. This has to be the default, especially since most people don't know about or use this attribute syntax in the first place. The output must be actually guaranteed safe, not just partly safe. This vulnerability is just as dangerous as
In fact, all Django sites that user markdown current have this vulnerability, because the
As we have documented:
Unfortunately, this is an issue of poor naming. Perhaps it should have been called "raw_html" rather than "safe_mode". However, we have left it for historical (backward compatible) reasons. Too many other libraries and projects expect the current name so we leave it.
The fact is, with our extension API, we have no way of ensuring that any third party extensions are "safe" either. If you really want something that is "safe", then I suggestion a third party post-processor which completely sanitizes markdown's output. Perhaps something like bleach.
I should also note that this request is for a blacklist that blocks "attributes like 'onload', onclick'." Whereas solutions like bleach implement a whitelist. Whitelists block everything that is not known to be safe, which is a much safer approach. If markdown was to continue on this blacklist approach, we would constantly be chasing new "unsafe" input. For that reason, we will not be implementing the suggested solution. As existing solutions already exist, I'm closing this wontfix.
You are right that a blacklist is never the right answer. I meant a filter of non-whitelisted attributes, and only providedthe blacklist for reference.
It's not an issue of poor naming. The "safe" mode does more than just not interpret "raw_html", like filtering
I understand that backwards compatibility is an issue, but security is even more important. Security should always be the default, not an extra option like