bundled/markdown2: make markdown links a bit more secure
| author |
Steve Losh <steve@stevelosh.com> |
| date |
Sat, 10 Jul 2010 13:46:12 -0400 |
| parents |
1b9066798f87
|
| children |
80d2d7acbd6c
9d8c2dd1ed72
|
| branches/tags |
(none) |
| files |
bundled/markdown2/lib/markdown2.py |
Changes
--- a/bundled/markdown2/lib/markdown2.py Fri Jul 09 22:46:09 2010 -0400
+++ b/bundled/markdown2/lib/markdown2.py Sat Jul 10 13:46:12 2010 -0400
@@ -953,7 +953,10 @@
# We've got to encode these to avoid conflicting
# with italics/bold.
url = url.replace('*', g_escape_table['*']) \
- .replace('_', g_escape_table['_'])
+ .replace('_', g_escape_table['_']) \
+ .replace('"', '&quo;')
+ if url.startswith('javascript:'):
+ url = url.replace('javascript:', '', 1)
if title:
title_str = ' title="%s"' \
% title.replace('*', g_escape_table['*']) \
@@ -1003,7 +1006,10 @@
# We've got to encode these to avoid conflicting
# with italics/bold.
url = url.replace('*', g_escape_table['*']) \
- .replace('_', g_escape_table['_'])
+ .replace('_', g_escape_table['_']) \
+ .replace('"', '&quo;')
+ if url.startswith('javascript:'):
+ url = url.replace('javascript:', '', 1)
title = self.titles.get(link_id)
if title:
title = title.replace('*', g_escape_table['*']) \