From 07502fecc0307ff39df5ef6aee43f77d5e0b313e Mon Sep 17 00:00:00 2001
From: vabene1111 <vabene1234@googlemail.com>
Date: Sun, 2 Feb 2020 16:06:12 +0100
Subject: [PATCH] fixed possible markdown xss

---
 cookbook/templatetags/custom_tags.py | 4 +++-
 requirements.txt                     | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/cookbook/templatetags/custom_tags.py b/cookbook/templatetags/custom_tags.py
index 708547060..4435e0e54 100644
--- a/cookbook/templatetags/custom_tags.py
+++ b/cookbook/templatetags/custom_tags.py
@@ -1,5 +1,7 @@
 from django import template
 import markdown as md
+import bleach
+from bleach_whitelist import markdown_tags, markdown_attrs
 
 register = template.Library()
 
@@ -11,4 +13,4 @@ def get_class(value):
 
 @register.filter()
 def markdown(value):
-    return md.markdown(value, extensions=['markdown.extensions.fenced_code'])
+    return bleach.clean(md.markdown(value, extensions=['markdown.extensions.fenced_code']), markdown_tags, markdown_attrs)
diff --git a/requirements.txt b/requirements.txt
index db56f2fe1..1e99bb049 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,6 +7,8 @@ djangorestframework
 django-autocomplete-light
 django-emoji-picker
 django-cleanup
+bleach
+bleach-whitelist
 six
 requests
 markdown