diff --git a/.hgtags b/.hgtags
--- a/.hgtags
+++ b/.hgtags
@@ -67,3 +67,4 @@ a84d40e9481fcea4dafadee86b03f0dd401527d6
64ea7ea0923618a0c117acebb816a6f0d162bfdb 0.3.3
cf635c823ea059cc3a1581b82d8672e46b682384 0.3.4
4cca4cc6a0a97f4c4763317184cd41aca4297630 0.3.5
+082c9b8f0f17bd34740eb90c69bdc4c80d4b5b31 0.3.6
diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py
--- a/kallithea/lib/base.py
+++ b/kallithea/lib/base.py
@@ -328,7 +328,7 @@ class BaseVCSController(object):
Checks permissions using action (push/pull) user and repository
name
- :param action: push or pull action
+ :param action: 'push' or 'pull' action
:param user: `User` instance
:param repo_name: repository name
"""
diff --git a/kallithea/lib/markup_renderer.py b/kallithea/lib/markup_renderer.py
--- a/kallithea/lib/markup_renderer.py
+++ b/kallithea/lib/markup_renderer.py
@@ -30,6 +30,9 @@ import re
import logging
import traceback
+import markdown as markdown_mod
+import bleach
+
from kallithea.lib.utils2 import safe_unicode, MENTIONS_REGEX
log = logging.getLogger(__name__)
@@ -138,17 +141,43 @@ class MarkupRenderer(object):
@classmethod
def markdown(cls, source, safe=True, flavored=False):
+ """
+ Convert Markdown (possibly GitHub Flavored) to XSS safe HTML, possibly
+ with "safe" fall-back to plaintext.
+
+ >>> MarkupRenderer.markdown('''
''')
+ u'
'
+ >>> MarkupRenderer.markdown('''
''')
+ u'![]()
'
+ >>> MarkupRenderer.markdown('''foo''')
+ u'foo
'
+ >>> MarkupRenderer.markdown('''''')
+ u'<script>alert(1)</script>'
+ >>> MarkupRenderer.markdown('''yo
''')
+ u'yo
'
+ >>> MarkupRenderer.markdown('''yo''')
+ u'yo
'
+ """
source = safe_unicode(source)
try:
- import markdown as __markdown
if flavored:
source = cls._flavored_markdown(source)
- return __markdown.markdown(source,
+ markdown_html = markdown_mod.markdown(source,
extensions=['codehilite', 'extra'],
extension_configs={'codehilite': {'css_class': 'code-highlight'}})
- except ImportError:
- log.warning('Install markdown to use this function')
- return cls.plain(source)
+ # Allow most HTML, while preventing XSS issues:
+ # no