2

I'm updating a Python Django app that used an older version of misaka, which describes itself as a "CFFI-based binding for Hoedown, a fast markdown processing library." The relevant code in my Django app is the following:

render_flags=(misaka.HTML_SAFELINK)

But the misaka 2.0 documentation no longer shows that as a render flag option (the Django app throws an error as a result of it):

http://misaka.61924.nl/#html-render-flags

It seems that SAFELINK has been removed from hoedown itself. Apparently the purpose of HTML_SAFELINK was to only allow links to safe protocols.

It doesn't appear to me that there is a suitable replacement for HTML_SAFELINK out of the current misaka 2.0 and hoedown render flag options which are HTML_SKIP_HTML, HTML_ESCAPE, HTML_HARD_WRAP, and HTML_USE_XHTML.

Can I safely assume that the flag was pointless in the first place and that there's no real risk to leaving it out? Or is there another way in misaka/hoedown to block links to 'unsafe' protocols?

aris
  • 22,725
  • 1
  • 29
  • 33
  • I don't know why the change was made, but I would assume that there is no way to guarantee that a link is "safe". Therefore, it was removed as it was misleading. See – Waylan May 05 '16 at 13:12

1 Answers1

1

Use the SaferHtmlRenderer class introduced in Misaka 2.1.0. By default it only allows http: and https: links, but you can easily subclass it to allow other protocols. Example from Liberapay:

import re

from markupsafe import Markup
import misaka as m  # http://misaka.61924.nl/


url_re = re.compile(r'^(https?|xmpp):')


class CustomRenderer(m.SaferHtmlRenderer):

    def check_url(self, url, is_image_src=False):
        return bool(url_re.match(url))


renderer = CustomRenderer()
md = m.Markdown(renderer, extensions=(
    'autolink', 'strikethrough', 'no-intra-emphasis', 'tables',
))


def render(markdown):
    return Markup(md(markdown))
Changaco
  • 790
  • 5
  • 12