Release new version (with security fixes) on PyPi #186

Closed
phihag opened this Issue Feb 5, 2013 · 2 comments

Comments

Projects
None yet
2 participants
Contributor

phihag commented Feb 5, 2013

I don't want to toot my own horn, but #185 fixes a major security issue. To allow downstream projects to securely use Python-Markdown (and not custom forks or monkey-patched versions), a new release on PyPi would be great.

Contributor

phihag commented Feb 7, 2013

Forked to secure-Markdown for now. Sorry for the fork, but we really can't depend on known-insecure libraries.

Owner

waylan commented Feb 7, 2013

Obviously, this is open source software so you can fork as you see fit, but I would discourage calling it secure Markdown (although I see you accurately listed "Development Status :: 2 - Pre-Alpha"). In fact, "safe_mode" is called safe only for historical reasons (before I joined the project). It is an unfortunately named feature. As the developer, I make no guarantees about the security of "safe_mode" (even after applying your patch). If you want "safe" output, my recommendation is to use a third party sanitizer (like Bleach) to wrap markdown's output.

In fact, my long term goal is to drop "safe_mode" altogether (perhaps an extension will be available to escape raw html - but no more) and recommend something like Bleach instead.

Regarding the slow response to do release: I work on Python-Markdown voluntarily in my spare time. I will get to it when I have the time - no sooner.

waylan closed this Feb 7, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment