Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Release new version (with security fixes) on PyPi #186

Closed
phihag opened this Issue · 2 comments

2 participants

@phihag

I don't want to toot my own horn, but #185 fixes a major security issue. To allow downstream projects to securely use Python-Markdown (and not custom forks or monkey-patched versions), a new release on PyPi would be great.

@phihag

Forked to secure-Markdown for now. Sorry for the fork, but we really can't depend on known-insecure libraries.

@waylan
Owner

Obviously, this is open source software so you can fork as you see fit, but I would discourage calling it secure Markdown (although I see you accurately listed "Development Status :: 2 - Pre-Alpha"). In fact, "safe_mode" is called safe only for historical reasons (before I joined the project). It is an unfortunately named feature. As the developer, I make no guarantees about the security of "safe_mode" (even after applying your patch). If you want "safe" output, my recommendation is to use a third party sanitizer (like Bleach) to wrap markdown's output.

In fact, my long term goal is to drop "safe_mode" altogether (perhaps an extension will be available to escape raw html - but no more) and recommend something like Bleach instead.

Regarding the slow response to do release: I work on Python-Markdown voluntarily in my spare time. I will get to it when I have the time - no sooner.

@waylan waylan closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.