XSS Injection

[sauloh]

django-machina is vulnerable do XSS Injection when user creates a topic.

you just have create or reply a topic with:
<script>alert('hello');</script>

[ellmetha]

Hi,
Thanks for pointing this out! This was related to a missuse of the django-markdown's markdown function (which requires the use of a safe argument to enforce the "safe" mode).
I'll release a new version of django-machina during the day.

A quick fix is to set the MACHINA_MARKUP_LANGUAGE setting as follows:

MACHINA_MARKUP_LANGUAGE = ('django_markdown.utils.markdown', {'safe': True})

[sauloh]

Hi,

I'm the one who should thank you for the quick fix.

But I saw this in markdown docs: https://pythonhosted.org/Markdown/reference.html#safe_mode

Warning “safe_mode” is deprecated and should not be used.

Is it the same thing you mentioned, or am I confused?

[ellmetha]

Hi,

I was referring to the safe argument of the django-markdown's markdown function (see https://github.com/klen/django_markdown/blob/develop/django_markdown/utils.py#L31).

But indeed this is related to the "safe_mode" of the Markdown Python module, which seem to be deprecated. This should be fixed inside the django-markdown module and not in django-machina.

I plan to replace django-markdown by another solution in the next 0.3 release of django-machina.

[sauloh]

Oh, understood!

Thanks!