Allow markdown in Project status description #4146
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #3338
This PR allows users to enter markdown in their Project Status Description. I have used the markdown library already used in
jobserver/snippets.py
.Security
As HTML is valid in a Markdown file, we should protect against users adding
<script>
and<style>
tags to their markdown. Whilst we do have a Content Security Policy on Job Server which would stop this, we should not allow it to be converted in to valid HTML.Thebleach
library was recommended as part of a changelog entry in the Python Markdown library.The library
nh3
is used to clean the HTML before it is displayed in the template.Screenshots
Before
After
This example shows the following text entered by a user, with an example of how a script tag would be rendered.