render_markdown breaks links with ampersands

Added few additional allowed tags to `bleach.clean` function and changed sanitization sequence so that markdown applied first and only after that result cleaned
ckan · Feb 14, 2017 · f8e423a · f8e423a
1 parent 99d9181
commit f8e423a
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/ckan/lib/helpers.py b/ckan/lib/helpers.py
@@ -24,7 +24,7 @@
 import webhelpers.text as whtext
 import webhelpers.date as date
 from markdown import markdown
-from bleach import clean as clean_html
+from bleach import clean as clean_html, ALLOWED_TAGS
 from pylons import url as _pylons_default_url
 from ckan.common import config
 from routes import redirect_to as _redirect_to
@@ -47,6 +47,12 @@
 
 log = logging.getLogger(__name__)
 
+MARKDOWN_TAGS = set([
+    'del', 'dd', 'dl', 'dt', 'h1', 'h2',
+    'h3', 'img', 'kbd', 'p', 'pre', 's',
+    'sup', 'sub', 'strike', 'br', 'hr'
+]).union(ALLOWED_TAGS)
+
 
 class HelperAttributeDict(dict):
     def __init__(self, *args, **kwargs):
@@ -1843,7 +1849,7 @@ def render_markdown(data, auto_link=True, allow_html=False):
         data = markdown(data.strip())
     else:
         data = RE_MD_HTML_TAGS.sub('', data.strip())
-        data = markdown(clean_html(data, strip=True))
+        data = clean_html(markdown(data), strip=True, tags=MARKDOWN_TAGS)
     # tags can be added by tag:... or tag:"...." and a link will be made
     # from it
     if auto_link: