hotfix: XSS issues #173 #182

Author: Agus Makmun

README.md

@@ -34,6 +34,7 @@
 * `Django>=3.2`
 * `Markdown>=3.0`
 * `requests>=2.12.4`
+* `bleach`
 
 
 ### Installation
@@ -155,6 +156,21 @@ ALLOWED_URL_SCHEMES = [
     "file", "ftp", "ftps", "http", "https", "irc", "mailto",
     "sftp", "ssh", "tel", "telnet", "tftp", "vnc", "xmpp",
 ]
+
+# https://gist.github.com/mrmrs/7650266
+ALLOWED_HTML_TAGS = [
+    "a", "abbr", "b", "blockquote", "br", "cite", "code", "command",
+    "dd", "del", "dl", "dt", "em", "fieldset", "h1", "h2", "h3", "h4", "h5", "h6",
+    "hr", "i", "iframe", "img", "input", "ins", "kbd", "label", "legend",
+    "li", "ol", "optgroup", "option", "p", "pre", "small", "span", "strong",
+    "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "u", "ul"
+]
+
+ALLOWED_HTML_ATTRIBUTES = [
+    "alt", "class", "color", "colspan", "datetime",  # "data",
+    "height", "href", "id", "name", "reversed", "rowspan",
+    "scope", "src", "style", "title", "type", "width"
+]
 ```
 
 Check this setting is not set else csrf will not be sent over ajax calls:

martor/__init__.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-__VERSION__ = "1.6.14"
-__RELEASE_DATE__ = "04-Sep-2022"
+__VERSION__ = "1.6.15"
+__RELEASE_DATE__ = "18-Nov-2022"
 __AUTHOR__ = "Agus Makmun (Summon Agus)"
 __AUTHOR_EMAIL__ = "summon.agus@gmail.com"

martor/settings.py

@@ -138,3 +138,86 @@
         "xmpp",
     ],
 )
+
+# https://gist.github.com/mrmrs/7650266
+ALLOWED_HTML_TAGS = getattr(
+    settings,
+    "ALLOWED_HTML_TAGS",
+    [
+        "a",
+        "abbr",
+        "b",
+        "blockquote",
+        "br",
+        "cite",
+        "code",
+        "command",
+        "dd",
+        "del",
+        "dl",
+        "dt",
+        "em",
+        "fieldset",
+        "h1",
+        "h2",
+        "h3",
+        "h4",
+        "h5",
+        "h6",
+        "hr",
+        "i",
+        "iframe",
+        "img",
+        "input",
+        "ins",
+        "kbd",
+        "label",
+        "legend",
+        "li",
+        "ol",
+        "optgroup",
+        "option",
+        "p",
+        "pre",
+        "small",
+        "span",
+        "strong",
+        "sub",
+        "sup",
+        "table",
+        "tbody",
+        "td",
+        "tfoot",
+        "th",
+        "thead",
+        "tr",
+        "u",
+        "ul",
+    ],
+)
+
+# https://github.com/decal/werdlists/blob/master/html-words/html-attributes-list.txt
+ALLOWED_HTML_ATTRIBUTES = getattr(
+    settings,
+    "ALLOWED_HTML_ATTRIBUTES",
+    [
+        "alt",
+        "class",
+        "color",
+        "colspan",
+        # "data",
+        "datetime",
+        "height",
+        "href",
+        "id",
+        "name",
+        "reversed",
+        "rowspan",
+        "scope",
+        "src",
+        "style",
+        "title",
+        "type",
+        "width",
+    ],
+)

martor/static/martor/css/martor-admin.min.css

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.14
+ * Name         : Martor v1.6.15
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 04-Sep-2022
+ * Release date : 18-Nov-2022
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/static/martor/css/martor.bootstrap.min.css

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.14
+ * Name         : Martor v1.6.15
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 04-Sep-2022
+ * Release date : 18-Nov-2022
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/