From 86d90fbefc7b881675b67d92ac26f754c895c4b2 Mon Sep 17 00:00:00 2001 From: Morgan Aubert Date: Sat, 4 Jun 2016 12:10:08 -0400 Subject: [PATCH] Fix #20 - Update MACHINA_MARKUP_LANGUAGE markdown function parameters --- docs/release_notes/index.rst | 1 + docs/release_notes/v0.2.1.rst | 15 +++++++++++++++ docs/settings.rst | 2 +- machina/conf/settings.py | 2 +- 4 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 docs/release_notes/v0.2.1.rst diff --git a/docs/release_notes/index.rst b/docs/release_notes/index.rst index 4a5f3875b..6c8c51902 100644 --- a/docs/release_notes/index.rst +++ b/docs/release_notes/index.rst @@ -13,3 +13,4 @@ Django-machina 0.2 :maxdepth: 1 v0.2 + v0.2.1 diff --git a/docs/release_notes/v0.2.1.rst b/docs/release_notes/v0.2.1.rst new file mode 100644 index 000000000..7a910263a --- /dev/null +++ b/docs/release_notes/v0.2.1.rst @@ -0,0 +1,15 @@ +################################ +Django-machina 0.3 release notes +################################ + +Requirements and compatibility +------------------------------ + +Python 2.7, 3.3, 3.4 and 3.5. Django 1.8 and 1.9. + +Minor changes +------------- + +* Fixed a security issue related to the usage of *django-markdown*'s ``markdown`` function (`#20`_) + +.. _`#20`: https://github.com/ellmetha/django-machina/issues/20 diff --git a/docs/settings.rst b/docs/settings.rst index b567feb33..6ff51818d 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -17,7 +17,7 @@ The forum name. ``MACHINA_MARKUP_LANGUAGE`` --------------------------- -Default: ``('django_markdown.utils.markdown', {})`` +Default: ``('django_markdown.utils.markdown', {'safe': True})`` This setting defines how posts content is translated into HTML on the forum. It should be a two-tuple. The first element should be a string corresponding to the Python dotted path to a function returning HTML from a content expressed in a markup language. The second element of the tuple is a dictionary of keyword arguments to pass to the latest function (the dictionary should be empty if the function does not require any argument). Note that if you do not want to use a markup language such as Markdown or BBCode (eg. if you are using a Wysiwyg editor), you can set this setting to ``None``. diff --git a/machina/conf/settings.py b/machina/conf/settings.py index 24a9321e4..165585fd6 100644 --- a/machina/conf/settings.py +++ b/machina/conf/settings.py @@ -8,7 +8,7 @@ # General MACHINA_FORUM_NAME = getattr(settings, 'MACHINA_FORUM_NAME', 'Machina') MACHINA_MARKUP_LANGUAGE = getattr( - settings, 'MACHINA_MARKUP_LANGUAGE', ('django_markdown.utils.markdown', {})) + settings, 'MACHINA_MARKUP_LANGUAGE', ('django_markdown.utils.markdown', {'safe': True})) MACHINA_MARKUP_WIDGET = getattr( settings, 'MACHINA_MARKUP_WIDGET', 'django_markdown.widgets.MarkdownWidget')