Secure Python Markdown Library [closed]

2019-02-05 01:17发布

I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is there a test string I can put through my system to check for the same flaws that took down reddit?

3条回答
Deceive 欺骗
2楼-- · 2019-02-05 01:45

reddit uses the discount markdown library now.

查看更多
放我归山
3楼-- · 2019-02-05 01:51

Python-Markdown - the 'standard' one more or less - has a 'safe mode' feature that escapes html tags. That should be enough to counter most all HTML injection attacks.

查看更多
冷血范
4楼-- · 2019-02-05 02:01

The other answers mention Python-Markdown's safe mode but that is now deprecated. The authors of Python-Markdown have been quoted saying:

"safe-mode" was a poor name choice that we continue to use for backward comparability (old code still works with our newer versions). What it really is is a no-markup mode. In other words, it is just a way to disallow raw html and really doesn't guarantee safety.

They now recommend using an HTML sanitizer like Bleach to sanitize the Markdown output. mdx_bleach is a Python-Markdown extension that does just that. Disclaimer: I'm the author of this extension.

Because it uses html5lib to parse document fragments the same way browsers do, Bleach is extremely resilient to unknown attacks, much more so than regular-expression-based sanitizers.

查看更多
登录 后发表回答