fix: embedding html code #174

Author: Agus Makmun

martor/__init__.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
 
-__VERSION__ = "1.6.10"
+__VERSION__ = "1.6.11"
 __AUTHOR__ = "Agus Makmun (Summon Agus)"
 __AUTHOR_EMAIL__ = "summon.agus@gmail.com"

martor/static/martor/css/martor-admin.min.css

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.10
+ * Name         : Martor v1.6.11
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 26-Jan-2022
+ * Release date : 21-Feb-2022
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/static/martor/css/martor.bootstrap.min.css

@@ -1,7 +1,7 @@
 /**
- * Name         : Martor v1.6.10
+ * Name         : Martor v1.6.11
  * Created by   : Agus Makmun (Summon Agus)
- * Release date : 26-Jan-2022
+ * Release date : 21-Feb-2022
  * License      : GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
  * Repository   : https://github.com/agusmakmun/django-markdown-editor
 **/

martor/static/martor/css/martor.semantic.min.css

@@ -63,7 +63,7 @@ def test_markdownify(self):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(
             response.content.decode("utf-8"),
-            '<p><img alt="image" src="https://imgur.com/test.png" /></p>',
+            '<p><img alt="image" src="https://imgur.com/test.png"></p>',
         )  # noqa: E501
 
         # # Mention
@@ -78,6 +78,10 @@ def test_markdownify(self):
         # )
 
     def test_markdownify_xss_handled(self):
-        xss_payload = "[aaaa](javascript:alert(1))"
-        response = markdownify(xss_payload)
-        self.assertEqual(response, '<p><a href="alert(1)">aaaa</a></p>')
+        xss_payload_1 = "[aaaa](javascript:alert(1))"
+        response_1 = markdownify(xss_payload_1)
+        self.assertEqual(response_1, '<p><a href=":">aaaa</a></p>')
+
+        # xss_payload_2 = "![\" onerror=alert(1) ](x)"
+        # response_2 = markdownify(xss_payload_2)
+        # self.assertEqual(response_2, '')

martor/static/martor/js/martor.bootstrap.js

@@ -1,6 +1,5 @@
 import re
 
-from django.utils.html import strip_tags
 from django.utils.functional import Promise
 from django.core.serializers.json import DjangoJSONEncoder
 
@@ -28,9 +27,6 @@ def markdownify(markdown_text):
         '<p><img alt="awesome" src="http://i.imgur.com/hvguiSn.jpg" /></p>'
         >>>
     """
-    # Strip HTML tags
-    markdown_text = strip_tags(markdown_text)
-
     # Sanitize Markdown links
     # https://github.com/netbox-community/netbox/commit/5af2b3c2f577a01d177cb24cda1019551a2a4b64
     schemes = "|".join(ALLOWED_URL_SCHEMES)
@@ -46,6 +42,7 @@ def markdownify(markdown_text):
         markdown_text,
         extensions=MARTOR_MARKDOWN_EXTENSIONS,
         extension_configs=MARTOR_MARKDOWN_EXTENSION_CONFIGS,
+        output_format="html5",
     )