diff --git a/kallithea/lib/markup_renderer.py b/kallithea/lib/markup_renderer.py
--- a/kallithea/lib/markup_renderer.py
+++ b/kallithea/lib/markup_renderer.py
@@ -116,6 +116,19 @@ class MarkupRenderer(object):
Renders a given filename using detected renderer
it detects renderers based on file extension or mimetype.
At last it will just do a simple html replacing new lines with
+
+ >>> MarkupRenderer.render('''
''', '.md')
+ u'
'
+ >>> MarkupRenderer.render('''
''', 'b.mkd')
+ u'![]()
'
+ >>> MarkupRenderer.render('''foo''', 'c.mkdn')
+ u'foo
'
+ >>> MarkupRenderer.render('''''', 'd.mdown')
+ u'<script>alert(1)</script>'
+ >>> MarkupRenderer.render('''yo
''', 'markdown')
+ u'yo
'
+ >>> MarkupRenderer.render('''yo''', 'md')
+ u'yo
'
"""
renderer = cls._detect_renderer(source, filename)
@@ -150,21 +163,21 @@ class MarkupRenderer(object):
@classmethod
def markdown(cls, source, safe=True, flavored=False):
"""
- Convert Markdown (possibly GitHub Flavored) to XSS safe HTML, possibly
- with "safe" fall-back to plaintext.
+ Convert Markdown (possibly GitHub Flavored) to INSECURE HTML, possibly
+ with "safe" fall-back to plaintext. Output from this method should be sanitized before use.
>>> MarkupRenderer.markdown('''''')
- u'
'
+ u'
'
>>> MarkupRenderer.markdown('''''')
- u'![]()
'
+ u'
'
>>> MarkupRenderer.markdown('''foo''')
u'foo
'
>>> MarkupRenderer.markdown('''''')
- u'<script>alert(1)</script>'
+ u''
>>> MarkupRenderer.markdown('''yo
''')
- u'yo
'
+ u'yo
'
>>> MarkupRenderer.markdown('''yo''')
- u'yo
'
+ u'yo
'
"""
source = safe_unicode(source)
try: