Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Release new version (with security fixes) on PyPi #186

phihag opened this Issue · 2 comments

2 participants


I don't want to toot my own horn, but #185 fixes a major security issue. To allow downstream projects to securely use Python-Markdown (and not custom forks or monkey-patched versions), a new release on PyPi would be great.


Forked to secure-Markdown for now. Sorry for the fork, but we really can't depend on known-insecure libraries.


Obviously, this is open source software so you can fork as you see fit, but I would discourage calling it secure Markdown (although I see you accurately listed "Development Status :: 2 - Pre-Alpha"). In fact, "safe_mode" is called safe only for historical reasons (before I joined the project). It is an unfortunately named feature. As the developer, I make no guarantees about the security of "safe_mode" (even after applying your patch). If you want "safe" output, my recommendation is to use a third party sanitizer (like Bleach) to wrap markdown's output.

In fact, my long term goal is to drop "safe_mode" altogether (perhaps an extension will be available to escape raw html - but no more) and recommend something like Bleach instead.

Regarding the slow response to do release: I work on Python-Markdown voluntarily in my spare time. I will get to it when I have the time - no sooner.

@waylan waylan closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.