Commits

Ahmad Khayyat committed 0cc7f18

Clean rendered HTML using mezzanine RICHTEXT_* settings

After rendering markdown into HTML, HTML is cleaned as per the
RICHTEXT_ALLOWED_TAGS, RICHTEXT_ALLOWED_ATTRIBUTES, and
RICHTEXT_ALLOWED_STYLES mezzanine settings.

Tags, attributes, and styles that are not explicitly allowed are
stripped out.

  • Participants
  • Parent commits afd76ce

Comments (0)

Files changed (1)

mezzanine_pagedown/filters.py

 from markdown import markdown
+from bleach import clean
+
+
+def _clean(html):
+    tags = settings.RICHTEXT_ALLOWED_TAGS
+    attrs = settings.RICHTEXT_ALLOWED_ATTRIBUTES
+    styles = settings.RICHTEXT_ALLOWED_STYLES
+    return clean(html, tags=tags, attributes=attrs, strip=True,
+                 strip_comments=False, styles=styles)
+
 
 def codehilite(content):
     """
     Renders content using markdown with the codehilite extension.
     """
-    return markdown(content, ['codehilite',])
+    return _clean(markdown(content, ['codehilite',]))
 
 
 def plain(content):
     """
     Renders content using markdown (no extensions).
-    Explicit is better than implicit....
     """
-    return markdown(content)
+    return _clean(markdown(content))