Closes #3471: Disallow raw HTML in Markdown-rendered fields

2024-05-10 07:54:54 +00:00 · 2019-10-09 14:47:40 -04:00
parent 7a65930361
commit 738368a6a1
2 changed files with 7 additions and 0 deletions
--- a/netbox/utilities/templatetags/helpers.py
+++ b/netbox/utilities/templatetags/helpers.py
@@ -3,6 +3,7 @@ import json
 import re

 from django import template
+from django.utils.html import strip_tags
 from django.utils.safestring import mark_safe
 from markdown import markdown

@@ -58,7 +59,12 @@ def gfm(value):
    """
    Render text as GitHub-Flavored Markdown
    """
+    # Strip HTML tags
+    value = strip_tags(value)
+
+    # Render Markdown with GFM extension
    html = markdown(value, extensions=['mdx_gfm'])
+
    return mark_safe(html)