forked from django-wiki/django-wiki
-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #48 from edx/dsheraz/js_href
Clean anchor tags to counter XSS
- Loading branch information
Showing
4 changed files
with
34 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
from markdown.extensions import Extension | ||
|
||
from .processors import AnchorTagProcessor | ||
|
||
|
||
class AnchorTagExtension(Extension): | ||
""" | ||
Custom extension to register anchor tag processor with Markdown. | ||
""" | ||
|
||
def extendMarkdown(self, md, md_globals): | ||
md.treeprocessors.add('AnchorTagProcessor', AnchorTagProcessor(md), '>inline') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
from markdown.treeprocessors import Treeprocessor | ||
|
||
|
||
class AnchorTagProcessor(Treeprocessor): | ||
""" | ||
Custom treeprocessor to process the anchor tags in the HTML tree | ||
""" | ||
|
||
def run(self, root): | ||
anchor_tags = root.findall('.//a') | ||
for a_tag in anchor_tags: | ||
if not self.is_href_valid(a_tag.get('href')): | ||
a_tag.set('href', '#') | ||
|
||
def is_href_valid(self, value): | ||
""" | ||
After mark down, validate if the JS is present inside the value of anchor tag. | ||
""" | ||
return not value.lower().startswith('javascript:') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters