warbo-utilities: 250dce63b54ca5e511af77a95ef395428258d2bd

     1: From: Chris Warburton
     2: Date: Sun, 28 Jan 2018 23:37:49 +0000
     3: Subject: Re: Fix HTML escaping when rendering README
     4: Message-Id: <a0f5591b1a0c9954-f54e8469e957dfed-artemis@nixos>
     5: References: <a0f5591b1a0c9954-0-artemis@nixos>
     6: In-Reply-To: <a0f5591b1a0c9954-0-artemis@nixos>
     7: 
     8: Use Pandoc to render to HTML (assuming markdown), then use Bleach to
     9: strip all but a whitelist of HTML elements, attributes and protocols.
    10: 
    11: This way, elements like '<script>alert("XSS")</script>' get escaped;
    12: attributes like 'onclick="alert(\"XSS\")"' get removed and URLs like
    13: 'javascript:alert("XSS")' get removed.