forked from extern/django-helpdesk
Merge pull request #985 from noobpk/noobpk-fix-xss-markdown
Add URL schemes that are allowed within links
This commit is contained in:
commit
f73651f8f9
@ -56,6 +56,19 @@ def get_markdown(text):
|
||||
if not text:
|
||||
return ""
|
||||
|
||||
pattern = fr'([\[\s\S\]]*?)\(([\s\S]*?):([\s\S]*?)\)'
|
||||
# Regex check
|
||||
if re.match(pattern, text):
|
||||
# get get value of group regex
|
||||
scheme = re.search(pattern, text, re.IGNORECASE).group(2)
|
||||
# scheme check
|
||||
if scheme in helpdesk_settings.ALLOWED_URL_SCHEMES:
|
||||
replacement = '\\1(\\2:\\3)'
|
||||
else:
|
||||
replacement = '\\1(\\3)'
|
||||
|
||||
text = re.sub(pattern, replacement, text, flags=re.IGNORECASE)
|
||||
|
||||
return mark_safe(
|
||||
markdown(
|
||||
text,
|
||||
|
@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
|
||||
'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
|
||||
False)
|
||||
|
||||
|
||||
# URL schemes that are allowed within links
|
||||
ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
|
||||
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
||||
))
|
||||
############################
|
||||
# options for public pages #
|
||||
############################
|
||||
|
Loading…
Reference in New Issue
Block a user