summaryrefslogtreecommitdiff
path: root/news/views.py
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2012-10-26 16:49:58 -0500
committerDan McGee <dan@archlinux.org>2012-10-26 16:50:00 -0500
commit0b97d52351fc2bdcae16f1a1e7c56afd4ed476ad (patch)
treecae2a43c21d99f236a235863ee98f76775fb78c9 /news/views.py
parent520066075938d325f93f814f92bb6005d00833c8 (diff)
Enable safe mode for markdown parsing
Although we don't allow unauthenticated users to post content, we should still cover our bases here and ensure people can't inject stuff into the production website via an inadvertent XSS. Signed-off-by: Dan McGee <dan@archlinux.org>
Diffstat (limited to 'news/views.py')
-rw-r--r--news/views.py2
1 files changed, 1 insertions, 1 deletions
diff --git a/news/views.py b/news/views.py
index 03f3b0ac..c0230f1e 100644
--- a/news/views.py
+++ b/news/views.py
@@ -76,7 +76,7 @@ def view_redirect(request, object_id):
@require_POST
def preview(request):
data = request.POST.get('data', '')
- markup = markdown.markdown(data)
+ markup = markdown.markdown(data, safe_mode=True)
return HttpResponse(markup)
# vim: set ts=4 sw=4 et: