Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Python Customizing Django Templates Building Custom Filters Custom Tags

Jonatan Witoszek
Jonatan Witoszek
15,384 Points
Posted by Jonatan Witoszek
Jonatan Witoszek
15,384 Points

Shouldn't we escape the markdown_text before we mark it as safe?

Shouldn't we escape the markdown_text from any HTML tags before we plug it into the markdown2.markdown function? Considering that only selected users have access to Django Admin, should we be worried about escaping and a possibility of XSS?

Anyway... If someone is as paranoid as I am, I've dug into documentation and found a way to escape any HTML characters before we turn markdown into safe HTML that is meant to display on the website:

from django.utils.html import escape

@register.filter('markdown_to_html')
def markdown_to_html(markdown_text):
    """Converts markdown text to HTML"""
    html_body = markdown2.markdown(escape(markdown_text))
    return mark_safe(html_body)