Fixed #17837. Improved markdown safety.

Markdown enable_attributes is now False when safe_mode is enabled. Documented the markdown "safe" argument. Added warnings when the safe argument is passed to versions of markdown which cannot be made safe. Deprecated versions of markdown < 2.1. Many thanks to ptone for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17735 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-08-04 02:48:35 +00:00 · 2012-03-14 19:06:23 +00:00 · 2012-03-14 19:06:23 +00:00 · 14df122f86
commit 14df122f86
parent eb9eaa6d71
5 changed files with 70 additions and 3 deletions
--- a/docs/ref/contrib/markup.txt
+++ b/docs/ref/contrib/markup.txt
@ -47,3 +47,19 @@ override the default writer settings. See the `restructuredtext writer
 settings`_ for details on what these settings are.

 .. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
+
+Markdown
+--------
+
+The Python Markdown library supports options named "safe_mode" and
+"enable_attributes". Both relate to the security of the output. To enable both
+options in tandem, the markdown filter supports the "safe" argument.
+
+    {{ markdown_content_var|markdown:"safe" }}
+
+.. warning::
+
+    Versions of the Python-Markdown library prior to 2.1 do not support the
+    optional disabling of attributes and by default they will be included in
+    any output from the markdown filter - a warning is issued if this is the
+    case.