Skip to content

[1.6] Sanitize render_markdown() output with nh3 library #5134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jan 19, 2024

Conversation

glennmatthews
Copy link
Contributor

What's Changed

1.6 backport of #5133. Some code location changes (e.g. nautobot/utilities vs nautobot/core) but otherwise the same code.

Screenshots

TODO

  • Explanation of Change(s)
  • Added change log fragment(s) (for more information see the documentation)
  • Attached Screenshots, Payload Example
  • Unit, Integration Tests
  • Documentation Updates (when adding/changing features)
  • n/a Example Plugin Updates (when adding/changing features)
  • Outline Remaining Work, Constraints from Design

@glennmatthews glennmatthews self-assigned this Jan 19, 2024
Co-authored-by: Hanlin Miao <46973263+HanlinMiao@users.noreply.github.com>
Comment on lines +170 to +172
html = clean_html(html)

return mark_safe(html) # noqa: S308 # suspicious-mark-safe-usage, OK here since we sanitized the string earlier
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not blocking, but I wonder if clean_html should return a safe string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe so - can revisit this once we have more than a single consumer of clean_html to think about?

@glennmatthews glennmatthews merged commit 64312a4 into ltm-1.6 Jan 19, 2024
@glennmatthews glennmatthews deleted the GHSA-v4xv-795h-rv4h-LTM branch January 19, 2024 21:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants