From 5017a9ba7e8e9d0c4998249bbd1a86f06c3651ba Mon Sep 17 00:00:00 2001 From: rubenwardy Date: Tue, 2 Feb 2021 18:16:55 +0000 Subject: [PATCH] Allow codehighlighting in markdown, enable linkify --- app/markdown.py | 55 +++++++++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 22 deletions(-) diff --git a/app/markdown.py b/app/markdown.py index 1d14c5e5..bae2bc3f 100644 --- a/app/markdown.py +++ b/app/markdown.py @@ -1,15 +1,16 @@ +from functools import partial + import bleach +from bleach import Cleaner +from bleach.linkifier import LinkifyFilter from markdown import Markdown from flask import Markup -# Whitelist source: MIT -# +# Based on # https://github.com/Wenzil/mdx_bleach/blob/master/mdx_bleach/whitelist.py +# +# License: MIT -""" -Default whitelist of allowed HTML tags. Any other HTML tags will be escaped or -stripped from the text. This applies to the html output that Markdown produces. -""" ALLOWED_TAGS = [ "h1", "h2", "h3", "h4", "h5", "h6", "hr", "ul", "ol", "li", @@ -22,33 +23,43 @@ ALLOWED_TAGS = [ "em", "a", "img", - "table", "thead", "tbody", "tr", "th", "td" + "table", "thead", "tbody", "tr", "th", "td", + "div", "span", ] -""" -Default whitelist of attributes. It allows the href and title attributes for -tags and the src, title and alt attributes for tags. Any other attribute -will be stripped from its tag. -""" +ALLOWED_CSS = [ + "highlight", "codehilite", + "hll", "c", "err", "g", "k", "l", "n", "o", "x", "p", "ch", "cm", "cp", "cpf", "c1", "cs", + "gd", "ge", "gr", "gh", "gi", "go", "gp", "gs", "gu", "gt", "kc", "kd", "kn", "kp", "kr", + "kt", "ld", "m", "s", "na", "nb", "nc", "no", "nd", "ni", "ne", "nf", "nl", "nn", "nx", + "py", "nt", "nv", "ow", "w", "mb", "mf", "mh", "mi", "mo", "sa", "sb", "sc", "dl", "sd", + "s2", "se", "sh", "si", "sx", "sr", "s1", "ss", "bp", "fm", "vc", "vg", "vi", "vm", "il", +] + +def allow_class(_tag, name, value): + return name == "class" and value in ALLOWED_CSS + ALLOWED_ATTRIBUTES = { "a": ["href", "title"], - "img": ["src", "title", "alt"] + "img": ["src", "title", "alt"], + "code": allow_class, + "div": allow_class, + "span": allow_class, } -""" -If you allow tags that have attributes containing a URI value -(like the href attribute of an anchor tag,) you may want to adapt -the accepted protocols. The default list only allows http, https and mailto. -""" ALLOWED_PROTOCOLS = ["http", "https", "mailto"] - md = None def render_markdown(source): - return bleach.clean(md.convert(source), - tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES, - styles=[], protocols=ALLOWED_PROTOCOLS) + html = md.convert(source) + + cleaner = Cleaner( + tags=ALLOWED_TAGS, + attributes=ALLOWED_ATTRIBUTES, + protocols=ALLOWED_PROTOCOLS, + filters=[partial(LinkifyFilter, callbacks=bleach.linkifier.DEFAULT_CALLBACKS)]) + return cleaner.clean(html) def init_app(app): global md