diff --git a/.gitignore b/.gitignore
index d17ee1e..b54f038 100644
--- a/.gitignore
+++ b/.gitignore
@@ -74,7 +74,7 @@ google93fd32dbd906620a.html
baidu_verify_FlHL7cUyC9.html
BingSiteAuth.xml
cb9339dbe2ff86a5aa169d28dba5f615.txt
-werobot_session
+werobot_session.*
django.jpg
uploads/
settings_production.py
diff --git a/blog/templatetags/blog_tags.py b/blog/templatetags/blog_tags.py
index 37b2557..3871e50 100644
--- a/blog/templatetags/blog_tags.py
+++ b/blog/templatetags/blog_tags.py
@@ -3,6 +3,7 @@ import logging
import random
import urllib
+import bleach
from django import template
from django.conf import settings
from django.db.models import Q
@@ -13,6 +14,7 @@ from django.utils.safestring import mark_safe
from blog.models import Article, Category, Tag, Links, SideBar, LinkShowType
from comments.models import Comment
+from djangoblog.utils import CommonMarkdown
from djangoblog.utils import cache
from djangoblog.utils import get_current_site
from oauth.models import OAuthUser
@@ -40,10 +42,10 @@ def datetimeformat(data):
return ""
-@register.filter(is_safe=True)
+@register.filter()
@stringfilter
def custom_markdown(content):
- from djangoblog.utils import CommonMarkdown
+ content = bleach.clean(content)
return mark_safe(CommonMarkdown.get_markdown(content))
@@ -258,16 +260,6 @@ def load_pagination_info(page_obj, page_type, tag_name):
}
-"""
-@register.inclusion_tag('nav.html')
-def load_nav_info():
- category_list = Category.objects.all()
- return {
- 'nav_category_list': category_list
- }
-"""
-
-
@register.inclusion_tag('blog/tags/article_info.html')
def load_article_detail(article, isindex, user):
"""
diff --git a/requirements.txt b/requirements.txt
index 481f0da..2fa813a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
coverage==6.1.2
+bleach==4.1.0
Django==3.2.9
django-compressor==2.4.1
django-haystack==3.1.1
diff --git a/templates/blog/tags/sidebar.html b/templates/blog/tags/sidebar.html
index 8e2d1b5..e17f269 100755
--- a/templates/blog/tags/sidebar.html
+++ b/templates/blog/tags/sidebar.html
@@ -15,7 +15,7 @@
{% endfor %}
diff --git a/templates/comments/tags/comment_item.html b/templates/comments/tags/comment_item.html
index faf6c96..aff1212 100644
--- a/templates/comments/tags/comment_item.html
+++ b/templates/comments/tags/comment_item.html
@@ -24,9 +24,9 @@
{{ comment_item.created_time }}
回复给:@{{ comment_item.author.parent_comment.username }}
-
- {{ comment_item.body |custom_markdown }}
-
+ {% autoescape on %}
+ {{ comment_item.body|custom_markdown }}
+ {% endautoescape %}