Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practice for allowing Markdown in Python, while preventing XSS attacks?

Tags:

python

markdown

xss

sanitization

I need to let users enter Markdown content to my web app, which has a Python back end. I don’t want to needlessly restrict their entries (e.g. by not allowing any HTML, which goes against the spirit and spec of Markdown), but obviously I need to prevent cross-site scripting (XSS) attacks.

I can’t be the first one with this problem, but didn’t see any SO questions with all the keywords “python,” “Markdown,” and “XSS”, so here goes.

What’s a best-practice way to process Markdown and prevent XSS attacks using Python libraries? (Bonus points for supporting PHP Markdown Extra syntax.)

like image 493
Alan H. Avatar asked Mar 10 '11 21:03

Alan H.

2 Answers

I was unable to determine “best practice,” but generally you have three choices when accepting Markdown input:

  1. Allow HTML within Markdown content (this is how Markdown originally/officially works, but if treated naïvely, this can invite XSS attacks).

  2. Just treat any HTML as plain text, essentially letting your Markdown processor escape the user’s input. Thus <small>…</small> in input will not create small text but rather the literal text “<small>…</small>”.

  3. Throw out all HTML tags within Markdown. This is pretty user-hostile and may choke on text like <3 depending on implementation. This is the approach taken here on Stack Overflow.

My question regards case #1, specifically.

Given that, what worked well for me is sending user input through

  1. Markdown for Python, which optionally supports Extra syntax and then through
  2. html5lib’s sanitizer.

I threw a bunch of XSS attack attempts at this combination, and all failed (hurray!); but using benign tags like <strong> worked flawlessly.

This way, you are in effect going with option #1 (as desired) except for potentially dangerous or malformed HTML snippets, which are treated as in option #2.

(Thanks to Y.H Wong for pointing me in the direction of that Markdown library!)

like image 104
Alan H. Avatar answered Oct 20 '22 21:10

Alan H.

Markdown in Python is probably what you are looking for. It seems to cover a lot of your requested extensions too.

To prevent XSS attacks, the preferred way to do it is exactly the same as other languages - you escape the user output when rendered back. I just took a peek at the documentation and the source code. Markdown seems to be able to do it right out of the box with some trivial config tweaks.

like image 30
Y.H Wong Avatar answered Oct 20 '22 23:10

Y.H Wong
Sign in to Comment

Related questions

Python HTTP Server/Client: Remote end closed connection without response error
Is there a way to embed dependencies within a python script?
pipenv specify minimum version of python in pipfile?
Why are unittest2 methods camelCase if names_with_underscores are preferred?
How do I share Protocol Buffer .proto files between multiple repositories
Divide the list into three lists such that their sum are close to each other
How to use virtualenv with Google App Engine SDK on Mac OS X 10.6
Printing numpy.float64 with full precision
Django memory usage going up with every request
Force importing module from current directory
How can I install packages hosted in a private PyPI using setup.py?
Is there any disadvantage in using PYTHONDONTWRITEBYTECODE in Docker?
Which openid / oauth library to connect a django project to Google Apps Accounts?
Python - How are signals different from pubsub?
pass callback from python to c++ using boost::python
Finding the cause of a BrokenProcessPool in python's concurrent.futures
Best way to build an application based on R?
When should I be using asyncio over regular threads, and why? Does it provide performance increases?
Pylint W0212 protected-access
How to use OpenCV in Python?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!