From 34752665e3a479243ce57bf024565d3f3ba78268 Mon Sep 17 00:00:00 2001
From: kvakil <kvakil@berkeley.edu>
Date: Wed, 5 Oct 2016 15:51:34 -0700
Subject: [PATCH] fixed cross-site scripting attack

The Markup class assumes that the string is HTML safe. Therefore no
filtering is performed on comments. This fix uses jinja2.escape()
before the data is passed to the markdown class, ensuring that all
HTML tags are properly filtered.
---
 server/__init__.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/__init__.py b/server/__init__.py
index ba73f614b..a071f722c 100644
--- a/server/__init__.py
+++ b/server/__init__.py
@@ -8,6 +8,7 @@
 from flask_wtf.csrf import CsrfProtect
 from webassets.loaders import PythonLoader as PythonAssetsLoader
 from werkzeug.contrib.fixers import ProxyFix
+from jinja2 import escape
 
 from server import assets, converters, utils
 from server.forms import CSRFForm
@@ -108,7 +109,7 @@ def not_found_error(error):
     })
 
     app.jinja_env.filters.update({
-        'markdown': lambda data: Markup(markdown(data)),
+        'markdown': lambda data: Markup(markdown(escape(data))),
         'pluralize': utils.pluralize
     })