Markdown in Django XSS safe

Question

I am using Markdown in an app to display a user biography. I want the user to be able to slightly format the biography, so I\'m letting them use the TinyMCE editor.

Answer 1

Markdown in safe mode would remove all html tags, which means your users cannot input HTML segments in the biography. In some cases, this is not preferable. I would recommend you use force_escape before markdown, so anything fed into markdown is safe.

For example, if your biography is <html>I'm really a HTML fan!</html>, using

{{ biography|markdown:"safe"}}

would produce HTML REMOVED.. Instead, if you use

{{ biography|force_escape|markdown }}

The output would be something like

<p>&lt;html&gt;I'm really a HTML fan!&lt;/html&gt</p>

Answer 2

According to django.contrib.markup.templatetags.markup.markdown's docstrings:

To enable safe mode, which strips raw HTML and only returns HTML generated by actual Markdown syntax, pass "safe" as the first extension in the list.

This should work:

{{ biography|markdown:"safe" }}