Sanitize rendered html with ammonia

kureuil · kureuil · commit 827ff653e378 · 2017-07-30T18:56:00.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -50,6 +50,7 @@ serde = "1.0.0"
 clippy = { version = "=0.0.142", optional = true }
 chrono = "0.4.0"
 pulldown-cmark = { version = "0.0.15", default-features = false }
+ammonia = "0.5.0"
 
 conduit = "0.8"
 conduit-conditional-get = "0.8"
diff --git a/src/lib.rs b/src/lib.rs
@@ -17,6 +17,7 @@ extern crate log;
 extern crate serde_json;
 #[macro_use]
 extern crate serde_derive;
+extern crate ammonia;
 extern crate chrono;
 extern crate curl;
 extern crate diesel_full_text_search;
diff --git a/src/render.rs b/src/render.rs
@@ -1,11 +1,16 @@
+use ammonia::Ammonia;
 use pulldown_cmark::Parser;
 use pulldown_cmark::html;
 
 use util::CargoResult;
 
 pub fn markdown_to_html(text: &str) -> CargoResult<String> {
     let mut rendered = String::with_capacity(text.len() * 3 / 2);
+    let cleaner = Ammonia {
+        keep_cleaned_elements: true,
+        ..Ammonia::default()
+    };
     let parser = Parser::new(text);
     html::push_html(&mut rendered, parser);
-    Ok(rendered)
+    Ok(cleaner.clean(&rendered))
 }
