From be6378e91e1cdfb92079401da2f82aa8a6fa5a86 Mon Sep 17 00:00:00 2001 From: pnogueira Date: Wed, 1 Jul 2026 09:57:52 +0200 Subject: [PATCH] Escape page-hijacking HTML in rendered message text MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit render_markdown_text() runs message content through markdown.markdown(), which passes raw HTML through verbatim. Any active-content HTML in a message (outside a code fence) therefore becomes a live element in the transcript. In practice this bites when a session pastes captive-portal debug logs containing e.g. The +# hijack the transcript on load and it never renders. Markdown never emits these +# tags itself, so escaping them back to visible text leaves normal content alone. +_ACTIVE_TAG_RE = re.compile( + r"]*>", + re.I, +) +# Inline event handlers (onerror=, onload=, …) and javascript: URIs execute +# without a " + ) + assert "\n```" + ) + assert "bold" in result + assert "code" in result + assert 'href="http://ok"' in result + # Inside a fence markdown already escapes it; must stay visible text. + assert "