From d8640df115b8ac2b8271d278eebf93df881b822d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Thu, 30 Mar 2017 09:37:48 +0200
Subject: [PATCH] Made markdown jinja filter None-safe

---
 pillar/web/jinja.py          |  9 ++++++++-
 tests/test_web/test_jinja.py | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 tests/test_web/test_jinja.py

diff --git a/pillar/web/jinja.py b/pillar/web/jinja.py
index 9a374d97..8d1276bd 100644
--- a/pillar/web/jinja.py
+++ b/pillar/web/jinja.py
@@ -1,6 +1,7 @@
 """Our custom Jinja filters and other template stuff."""
 
 import logging
+import typing
 
 import flask
 import jinja2.filters
@@ -90,7 +91,13 @@ def do_pluralize(value, arg='s'):
     return singular_suffix
 
 
-def do_markdown(s):
+def do_markdown(s: typing.Optional[str]):
+    if s is None:
+        return None
+
+    if not s:
+        return s
+
     # FIXME: get rid of this filter altogether and cache HTML of comments.
     safe_html = pillar.markdown.markdown(s)
     return jinja2.utils.Markup(safe_html)
diff --git a/tests/test_web/test_jinja.py b/tests/test_web/test_jinja.py
new file mode 100644
index 00000000..ac02fb99
--- /dev/null
+++ b/tests/test_web/test_jinja.py
@@ -0,0 +1,21 @@
+import unittest
+
+
+class MarkdownTest(unittest.TestCase):
+    def test_happy(self):
+        from pillar.web import jinja
+
+        self.assertEqual('<p>je <strong>moeder</strong></p>',
+                         jinja.do_markdown('je **moeder**').strip())
+
+    def test_bleached(self):
+        from pillar.web import jinja
+
+        self.assertEqual('&lt;script&gt;alert("hey");&lt;script&gt;',
+                         jinja.do_markdown('<script>alert("hey");<script>').strip())
+
+    def test_degenerate(self):
+        from pillar.web import jinja
+
+        self.assertEqual(None, jinja.do_markdown(None))
+        self.assertEqual('', jinja.do_markdown(''))