From 8837fa65c83dd47a9911695c18fa8f0c6e6294cc Mon Sep 17 00:00:00 2001 From: Sergey Motornyuk Date: Mon, 12 Dec 2016 15:02:23 +0200 Subject: [PATCH] `render_markdown` breaks links with ampersands Added few additional allowed tags to `bleach.clean` function and changed sanitization sequence so that markdown applied first and only after that result cleaned --- ckan/lib/helpers.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ckan/lib/helpers.py b/ckan/lib/helpers.py index f7b5af9ed77..ba67350867b 100644 --- a/ckan/lib/helpers.py +++ b/ckan/lib/helpers.py @@ -24,7 +24,7 @@ import webhelpers.text as whtext import webhelpers.date as date from markdown import markdown -from bleach import clean as clean_html +from bleach import clean as clean_html, ALLOWED_TAGS from pylons import url as _pylons_default_url from ckan.common import config, is_flask_request from flask import redirect as _flask_redirect @@ -48,6 +48,12 @@ log = logging.getLogger(__name__) +MARKDOWN_TAGS = set([ + 'del', 'dd', 'dl', 'dt', 'h1', 'h2', + 'h3', 'img', 'kbd', 'p', 'pre', 's', + 'sup', 'sub', 'strike', 'br', 'hr' +]).union(ALLOWED_TAGS) + class HelperAttributeDict(dict): def __init__(self, *args, **kwargs): @@ -1859,7 +1865,7 @@ def render_markdown(data, auto_link=True, allow_html=False): data = markdown(data.strip()) else: data = RE_MD_HTML_TAGS.sub('', data.strip()) - data = markdown(clean_html(data, strip=True)) + data = clean_html(markdown(data), strip=True, tags=MARKDOWN_TAGS) # tags can be added by tag:... or tag:"...." and a link will be made # from it if auto_link: