render_markdown breaks links with ampersands

Added few additional allowed tags to `bleach.clean` function and changed sanitization sequence so that markdown applied first and only after that result cleaned
ckan · Dec 16, 2016 · 8837fa6 · 8837fa6
1 parent 0512b22
commit 8837fa6
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/ckan/lib/helpers.py b/ckan/lib/helpers.py
@@ -24,7 +24,7 @@
 import webhelpers.text as whtext
 import webhelpers.date as date
 from markdown import markdown
-from bleach import clean as clean_html
+from bleach import clean as clean_html, ALLOWED_TAGS
 from pylons import url as _pylons_default_url
 from ckan.common import config, is_flask_request
 from flask import redirect as _flask_redirect
@@ -48,6 +48,12 @@
 
 log = logging.getLogger(__name__)
 
+MARKDOWN_TAGS = set([
+    'del', 'dd', 'dl', 'dt', 'h1', 'h2',
+    'h3', 'img', 'kbd', 'p', 'pre', 's',
+    'sup', 'sub', 'strike', 'br', 'hr'
+]).union(ALLOWED_TAGS)
+
 
 class HelperAttributeDict(dict):
     def __init__(self, *args, **kwargs):
@@ -1859,7 +1865,7 @@ def render_markdown(data, auto_link=True, allow_html=False):
         data = markdown(data.strip())
     else:
         data = RE_MD_HTML_TAGS.sub('', data.strip())
-        data = markdown(clean_html(data, strip=True))
+        data = clean_html(markdown(data), strip=True, tags=MARKDOWN_TAGS)
     # tags can be added by tag:... or tag:"...." and a link will be made
     # from it
     if auto_link: