added some tests and src attr to img

ckan · Feb 14, 2017 · e5a23be · e5a23be
1 parent 52eaef8
commit e5a23be
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/ckan/lib/helpers.py b/ckan/lib/helpers.py
@@ -26,7 +26,7 @@
 from webhelpers.text import truncate
 import webhelpers.date as date
 from markdown import markdown
-from bleach import clean as clean_html, ALLOWED_TAGS
+from bleach import clean as clean_html, ALLOWED_TAGS, ALLOWED_ATTRIBUTES
 from pylons import url as _pylons_default_url
 from pylons.decorators.cache import beaker_cache
 from pylons import config
@@ -52,6 +52,9 @@
     'sup', 'sub', 'strike', 'br', 'hr'
 ]).union(ALLOWED_TAGS)
 
+MARKDOWN_ATTRIBUTES = copy.deepcopy(ALLOWED_ATTRIBUTES)
+MARKDOWN_ATTRIBUTES.setdefault('img', []).extend(['src', 'alt', 'title'])
+
 
 from ckan.common import (
     _, ungettext, g, c, request, session, json, OrderedDict
@@ -1700,7 +1703,9 @@ def render_markdown(data, auto_link=True, allow_html=False):
         data = markdown(data.strip(), safe_mode=False)
     else:
         data = RE_MD_HTML_TAGS.sub('', data.strip())
-        data = clean_html(markdown(data), strip=True, tags=MARKDOWN_TAGS)
+        data = clean_html(
+            markdown(data), strip=True,
+            tags=MARKDOWN_TAGS, attributes=MARKDOWN_ATTRIBUTES)
     # tags can be added by tag:... or tag:"...." and a link will be made
     # from it
     if auto_link:

diff --git a/ckan/tests/lib/test_helpers.py b/ckan/tests/lib/test_helpers.py
@@ -150,6 +150,45 @@ def test_render_markdown_auto_link_ignoring_trailing_punctuation(self):
         output = '<p>My link: <a href="http://example.com/page.html" target="_blank" rel="nofollow">http://example.com/page.html</a>.</p>'
         eq_(h.render_markdown(data), output)
 
+    def test_render_markdown_with_js(self):
+        data = u'[text](javascript: alert(1))'
+        output = u'<p><a>text</a></p>'
+        eq_(h.render_markdown(data), output)
+
+    def test_event_attributes(self):
+        data = u'<p onclick="some.script"><img onmouseover="some.script" src="image.png" /> and text</p>'
+        output = u'<p>and text</p>'
+        eq_(h.render_markdown(data), output)
+
+    def test_ampersand_in_links(self):
+        data = u'[link](/url?a=1&b=2)'
+        output = u'<p><a href="/url?a=1&amp;b=2">link</a></p>'
+        eq_(h.render_markdown(data), output)
+
+        data = u'http://example.com/page?a=1&b=2'
+        output = u'<p><a href="http://example.com/page?a=1&amp;b=2" target="_blank" rel="nofollow">http://example.com/page?a=1&amp;b=2</a></p>'
+        eq_(h.render_markdown(data), output)
+
+    def test_tags_h1(self):
+        data = u'#heading'
+        output = u'<h1>heading</h1>'
+        eq_(h.render_markdown(data), output)
+
+    def test_tags_h2(self):
+        data = u'##heading'
+        output = u'<h2>heading</h2>'
+        eq_(h.render_markdown(data), output)
+
+    def test_tags_h3(self):
+        data = u'###heading'
+        output = u'<h3>heading</h3>'
+        eq_(h.render_markdown(data), output)
+
+    def test_tags_img(self):
+        data = u'![image](/image.png)'
+        output = u'<p><img alt="image" src="/image.png"></p>'
+        eq_(h.render_markdown(data), output)
+
 
 class TestHelpersRemoveLineBreaks(object):