Fix #20 - Update MACHINA_MARKUP_LANGUAGE markdown function parameters

docs/release_notes/index.rst

@@ -13,3 +13,4 @@ Django-machina 0.2
     :maxdepth: 1
 
     v0.2
+    v0.2.1

docs/release_notes/v0.2.1.rst

@@ -0,0 +1,15 @@
+################################
+Django-machina 0.3 release notes
+################################
+
+Requirements and compatibility
+------------------------------
+
+Python 2.7, 3.3, 3.4 and 3.5. Django 1.8 and 1.9.
+
+Minor changes
+-------------
+
+* Fixed a security issue related to the usage of *django-markdown*'s ``markdown`` function (`#20`_)
+
+.. _`#20`: https://github.com/ellmetha/django-machina/issues/20

docs/settings.rst

@@ -17,7 +17,7 @@ The forum name.
 ``MACHINA_MARKUP_LANGUAGE``
 ---------------------------
 
-Default: ``('django_markdown.utils.markdown', {})``
+Default: ``('django_markdown.utils.markdown', {'safe': True})``
 
 This setting defines how posts content is translated into HTML on the forum. It should be a two-tuple. The first element should be a string corresponding to the Python dotted path to a function returning HTML from a content expressed in a markup language. The second element of the tuple is a dictionary of keyword arguments to pass to the latest function (the dictionary should be empty if the function does not require any argument). Note that if you do not want to use a markup language such as Markdown or BBCode (eg. if you are using a Wysiwyg editor), you can set this setting to ``None``.
 

machina/conf/settings.py

@@ -8,7 +8,7 @@
 # General
 MACHINA_FORUM_NAME = getattr(settings, 'MACHINA_FORUM_NAME', 'Machina')
 MACHINA_MARKUP_LANGUAGE = getattr(
-    settings, 'MACHINA_MARKUP_LANGUAGE', ('django_markdown.utils.markdown', {}))
+    settings, 'MACHINA_MARKUP_LANGUAGE', ('django_markdown.utils.markdown', {'safe': True}))
 MACHINA_MARKUP_WIDGET = getattr(
     settings, 'MACHINA_MARKUP_WIDGET', 'django_markdown.widgets.MarkdownWidget')