forked from extern/django-helpdesk
Merge pull request #985 from noobpk/noobpk-fix-xss-markdown
Add URL schemes that are allowed within links
This commit is contained in:
commit
f73651f8f9
@ -56,6 +56,19 @@ def get_markdown(text):
|
|||||||
if not text:
|
if not text:
|
||||||
return ""
|
return ""
|
||||||
|
|
||||||
|
pattern = fr'([\[\s\S\]]*?)\(([\s\S]*?):([\s\S]*?)\)'
|
||||||
|
# Regex check
|
||||||
|
if re.match(pattern, text):
|
||||||
|
# get get value of group regex
|
||||||
|
scheme = re.search(pattern, text, re.IGNORECASE).group(2)
|
||||||
|
# scheme check
|
||||||
|
if scheme in helpdesk_settings.ALLOWED_URL_SCHEMES:
|
||||||
|
replacement = '\\1(\\2:\\3)'
|
||||||
|
else:
|
||||||
|
replacement = '\\1(\\3)'
|
||||||
|
|
||||||
|
text = re.sub(pattern, replacement, text, flags=re.IGNORECASE)
|
||||||
|
|
||||||
return mark_safe(
|
return mark_safe(
|
||||||
markdown(
|
markdown(
|
||||||
text,
|
text,
|
||||||
|
@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
|
|||||||
'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
|
'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
|
||||||
False)
|
False)
|
||||||
|
|
||||||
|
# URL schemes that are allowed within links
|
||||||
|
ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
|
||||||
|
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
||||||
|
))
|
||||||
############################
|
############################
|
||||||
# options for public pages #
|
# options for public pages #
|
||||||
############################
|
############################
|
||||||
|
Loading…
Reference in New Issue
Block a user