nh3

pyproject.toml

@@ -56,6 +56,7 @@ dependencies = [
   "drf-extensions>=0.7.1,<1.0",
   "iso8601>=2.0,<3.0",
   "markdown>=3.4,<4.0",
+  "nh3>=0.3,<1.0",
   "packaging>=23.2,<26.0",
   "pypandoc>=1.11,<2.0",
   "requests-toolbelt>=1.0,<2.0",

rdmo/core/settings.py

@@ -331,6 +331,9 @@
     # for example: 'not_empty': 'core/text_blocks/template_for_not_empty.html',
 }
 
+MARKDOWN_CLEAN = True
+MARKDOWN_CLEAN_KWARGS = {}  # see https://nh3.readthedocs.io for available kwargs
+
 PROJECT_TABLE_PAGE_SIZE = 20
 
 PROJECT_VISIBILITY = True

rdmo/core/utils.py

@@ -15,6 +15,7 @@
 from django.utils.formats import get_format
 from django.utils.translation import gettext_lazy as _
 
+import nh3
 from defusedcsv import csv
 from markdown import markdown
 
@@ -253,7 +254,11 @@ def markdown2html(markdown_string):
     # textblocks (e.g. for help texts) can be injected into free text fields as small templates via Markdown
     html = inject_textblocks(html)
 
-    return html
+    if settings.MARKDOWN_CLEAN:
+        # use nh3/ammonia to clean the html string
+        return nh3.clean(html, **settings.MARKDOWN_CLEAN_KWARGS)
+    else:
+        return html
 
 
 def inject_textblocks(html):