在Django XSS中的标记安全 [英] Markdown in Django XSS safe
问题描述
我在应用中使用Markdown来显示用户传记。我希望用户能够轻松地格式化传记,所以我让他们使用TinyMCE编辑器。
I am using Markdown in an app to display a user biography. I want the user to be able to slightly format the biography, so I'm letting them use the TinyMCE editor.
然后,在Django模板中显示这样的
Then, displaying it in the Django Template like this
{% load markup %}
<div id="biography">
{{ biography|markdown }}
</div>
问题是,如果传记中有标签,那么没有被转义为django其他地方。这是传记测验的来源输出:
The problem is, if there is a tag in the biography, it is not being escaped as django does everywhere else. This is the source output from a biography test:
<p><strong>asdfsdafsadf</strong></p>
<p><strong>sd<em>fdfdsfsd</em></strong><em>sdfsdfsdfdsf</em>sdfsdfsdf</p>
<p><strong>sdafasdfasdf</strong></p>
<script>document.location='http://test.com'</script>
如何设置Markdown来转义这些恶意脚本?
How do I set Markdown to escape these malicious scripts?
推荐答案
根据 django.contrib.markup.templatetags.markup.markdown
的docstrings:
According to django.contrib.markup.templatetags.markup.markdown
's docstrings:
要启用安全模式,这些模式剥离原始HTML,只返回实际的Markdown语法生成的HTML
,将safe作为第一个
扩展名列表。
To enable safe mode, which strips raw HTML and only returns HTML generated by actual Markdown syntax, pass "safe" as the first extension in the list.
这应该可以工作:
{{ biography|markdown:"safe" }}
这篇关于在Django XSS中的标记安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!