安全的Python Markdown库 [英] Secure Python Markdown Library

问题描述

我想让用户可以使用markdown留下富文本评论.我已经安装了Reddit上使用的库，但是担心去年发生的javascript注入攻击，特别是因为我仍然不清楚如何进行攻击的细节.我是否仍应关注评论的安全性?我可以在系统中放入测试字符串来检查导致reddit故障的相同缺陷吗?

I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is there a test string I can put through my system to check for the same flaws that took down reddit?

推荐答案

Python-Markdown -一个或多个标准"-具有安全模式"功能，可转义html标签.这足以抵抗大多数HTML注入攻击.

Python-Markdown - the 'standard' one more or less - has a 'safe mode' feature that escapes html tags. That should be enough to counter most all HTML injection attacks.

这篇关于安全的Python Markdown库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！