I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is there a test string I can put through my system to check for the same flaws that took down reddit?
reddit uses the discount markdown library now.
Python-Markdown - the 'standard' one more or less - has a 'safe mode' feature that escapes html tags. That should be enough to counter most all HTML injection attacks.
The other answers mention Python-Markdown's safe mode but that is now deprecated. The authors of Python-Markdown have been quoted saying:
"safe-mode" was a poor name choice that we continue to use for backward comparability (old code still works with our newer versions). What it really is is a no-markup mode. In other words, it is just a way to disallow raw html and really doesn't guarantee safety.
They now recommend using an HTML sanitizer like Bleach to sanitize the Markdown output. mdx_bleach is a Python-Markdown extension that does just that. Disclaimer: I'm the author of this extension.
Because it uses html5lib to parse document fragments the same way browsers do, Bleach is extremely resilient to unknown attacks, much more so than regular-expression-based sanitizers.
来源:https://stackoverflow.com/questions/2358244/secure-python-markdown-library