From c4b05befa4353bf4117a4861e2c066359e734257 Mon Sep 17 00:00:00 2001 From: miruka Date: Thu, 24 Oct 2019 07:27:13 -0400 Subject: [PATCH] html_filter: html escape markdown before filtering Fixes the problem where a user sends e.g. "hi " and the "" is removed because it's seen as a bad html tag. --- src/python/html_filter.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/python/html_filter.py b/src/python/html_filter.py index d001bcc1..05fe2954 100644 --- a/src/python/html_filter.py +++ b/src/python/html_filter.py @@ -1,10 +1,10 @@ +import html import re -import mistune -from lxml.html import HtmlElement # nosec - import html_sanitizer.sanitizer as sanitizer +import mistune from html_sanitizer.sanitizer import Sanitizer +from lxml.html import HtmlElement # nosec class MarkdownInlineGrammar(mistune.InlineGrammar): @@ -65,11 +65,13 @@ class HtmlFilter: def from_markdown(self, text: str, outgoing: bool = False) -> str: - return self.filter(self._markdown_to_html(text), outgoing) + return self.filter(self._markdown_to_html(html.escape(text)), outgoing) def from_markdown_inline(self, text: str, outgoing: bool = False) -> str: - return self.filter_inline(self._markdown_to_html(text), outgoing) + return self.filter_inline( + self._markdown_to_html(html.escape(text)), outgoing, + ) def filter_inline(self, html: str, outgoing: bool = False) -> str: