From 36d702c7bce082f4b04bbffe3fa25799637b9b6b Mon Sep 17 00:00:00 2001
From: Martin Zimmermann <info@posativ.org>
Date: Sun, 12 Jan 2014 12:16:46 +0100
Subject: [PATCH] proper use of Misaka's HTML render flags (fix malicious HTML
 injection)

This commit now sanitizes *all* HTML tags written by the user (also
prevents auto-link to "unsafe" web protocols and images) as intended.

Fortunately because of Sundown's typography support, it did not affect
JS injection, but custom style tags and iframes.

PS: thanks to the anonymous submitter of a comment including a style tag
for 24pt, red font ;-)
---
 isso/utils/__init__.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/isso/utils/__init__.py b/isso/utils/__init__.py
index 5167bdb..a8327c3 100644
--- a/isso/utils/__init__.py
+++ b/isso/utils/__init__.py
@@ -121,9 +121,23 @@ class JSONResponse(Response):
 
 
 def markdown(text):
-    return misaka.html(text, extensions= misaka.EXT_STRIKETHROUGH
-        | misaka.EXT_SUPERSCRIPT | misaka.EXT_AUTOLINK
-        | misaka.HTML_SKIP_HTML  | misaka.HTML_SKIP_IMAGES | misaka.HTML_SAFELINK)
+    """Convert Markdown to (safe) HTML.
+
+    >>> markdown("*Ohai!*") # doctest: +IGNORE_UNICODE
+    '<p><em>Ohai!</em></p>'
+    >>> markdown("<script>alert('Onoe')</script>") # doctest: +IGNORE_UNICODE
+    '<p>alert(&#39;Onoe&#39;)</p>'
+    >>> markdown("http://example.org/ and sms:+1234567890") # doctest: +IGNORE_UNICODE
+    '<p><a href="http://example.org/">http://example.org/</a> and sms:+1234567890</p>'
+    """
+
+    # ~~strike through~~, sub script: 2^(nd) and http://example.org/ auto-link
+    exts = misaka.EXT_STRIKETHROUGH | misaka.EXT_SUPERSCRIPT | misaka.EXT_AUTOLINK
+
+    # remove HTML tags, skip <img> (for now) and only render "safe" protocols
+    html = misaka.HTML_SKIP_HTML | misaka.HTML_SKIP_IMAGES | misaka.HTML_SAFELINK
+
+    return misaka.html(text, extensions=exts, render_flags=html).strip("\n")
 
 
 def origin(hosts):