Made markdown jinja filter None-safe

2017-03-30 09:37:48 +02:00 · 2017-03-30 09:37:48 +02:00 · d8640df115
commit d8640df115
parent 4c704c8cda
2 changed files with 29 additions and 1 deletions
--- a/pillar/web/jinja.py
+++ b/pillar/web/jinja.py
@ -1,6 +1,7 @@
 """Our custom Jinja filters and other template stuff."""

 import logging
+import typing

 import flask
 import jinja2.filters
@ -90,7 +91,13 @@ def do_pluralize(value, arg='s'):
    return singular_suffix


-def do_markdown(s):
+def do_markdown(s: typing.Optional[str]):
+    if s is None:
+        return None
+
+    if not s:
+        return s
+
    # FIXME: get rid of this filter altogether and cache HTML of comments.
    safe_html = pillar.markdown.markdown(s)
    return jinja2.utils.Markup(safe_html)
--- a/tests/test_web/test_jinja.py
+++ b/tests/test_web/test_jinja.py
@ -0,0 +1,21 @@
+import unittest
+
+
+class MarkdownTest(unittest.TestCase):
+    def test_happy(self):
+        from pillar.web import jinja
+
+        self.assertEqual('<p>je <strong>moeder</strong></p>',
+                         jinja.do_markdown('je **moeder**').strip())
+
+    def test_bleached(self):
+        from pillar.web import jinja
+
+        self.assertEqual('&lt;script&gt;alert("hey");&lt;script&gt;',
+                         jinja.do_markdown('<script>alert("hey");<script>').strip())
+
+    def test_degenerate(self):
+        from pillar.web import jinja
+
+        self.assertEqual(None, jinja.do_markdown(None))
+        self.assertEqual('', jinja.do_markdown(''))