From f06e68210c8d804e750dde8c6521eadbd578ffb4 Mon Sep 17 00:00:00 2001
From: Jochen Klar <mail@jochenklar.de>
Date: Thu, 8 Jan 2026 12:29:29 +0100
Subject: [PATCH 1/3] Add nh3 to clean markdown content (#453)

---
 pyproject.toml        | 1 +
 rdmo/core/settings.py | 3 +++
 rdmo/core/utils.py    | 7 ++++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 92ab2654e5..9a154242ba 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -56,6 +56,7 @@ dependencies = [
   "drf-extensions>=0.7.1,<1.0",
   "iso8601>=2.0,<3.0",
   "markdown>=3.4,<4.0",
+  "nh3>=0.3<1.0",
   "packaging>=23.2,<26.0",
   "pypandoc>=1.11,<2.0",
   "requests-toolbelt>=1.0,<2.0",
diff --git a/rdmo/core/settings.py b/rdmo/core/settings.py
index 237846cef6..7b7f3ff339 100644
--- a/rdmo/core/settings.py
+++ b/rdmo/core/settings.py
@@ -331,6 +331,9 @@
     # for example: 'not_empty': 'core/text_blocks/template_for_not_empty.html',
 }
 
+MARKDOWN_CLEAN = True
+MARKDOWN_CLEAN_KWARGS = {}  # see https://nh3.readthedocs.io for available kwargs
+
 PROJECT_TABLE_PAGE_SIZE = 20
 
 PROJECT_VISIBILITY = True
diff --git a/rdmo/core/utils.py b/rdmo/core/utils.py
index d198111ca8..a287f54899 100644
--- a/rdmo/core/utils.py
+++ b/rdmo/core/utils.py
@@ -15,6 +15,7 @@
 from django.utils.formats import get_format
 from django.utils.translation import gettext_lazy as _
 
+import nh3
 from defusedcsv import csv
 from markdown import markdown
 
@@ -253,7 +254,11 @@ def markdown2html(markdown_string):
     # textblocks (e.g. for help texts) can be injected into free text fields as small templates via Markdown
     html = inject_textblocks(html)
 
-    return html
+    if settings.MARKDOWN_CLEAN:
+        # use nh3/ammonia to clean the html string
+        return nh3.clean(html, **settings.MARKDOWN_CLEAN_KWARGS)
+    else:
+        return html
 
 
 def inject_textblocks(html):

From 477aee29876aebcce3bffe5b6f4c6b03e4eac184 Mon Sep 17 00:00:00 2001
From: Jochen Klar <mail@jochenklar.de>
Date: Thu, 8 Jan 2026 12:49:28 +0100
Subject: [PATCH 2/3] Fix pyproject.toml

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 9a154242ba..55da764f12 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -56,7 +56,7 @@ dependencies = [
   "drf-extensions>=0.7.1,<1.0",
   "iso8601>=2.0,<3.0",
   "markdown>=3.4,<4.0",
-  "nh3>=0.3<1.0",
+  "nh3>=0.3,<1.0",
   "packaging>=23.2,<26.0",
   "pypandoc>=1.11,<2.0",
   "requests-toolbelt>=1.0,<2.0",

From a6fb8c23a153b0ca70374919196227bf582d63fc Mon Sep 17 00:00:00 2001
From: Jochen Klar <mail@jochenklar.de>
Date: Tue, 2 Jun 2026 17:15:19 +0200
Subject: [PATCH 3/3] Disable MARKDOWN_CLEAN by default

---
 rdmo/core/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rdmo/core/settings.py b/rdmo/core/settings.py
index 7b7f3ff339..7ae546dea9 100644
--- a/rdmo/core/settings.py
+++ b/rdmo/core/settings.py
@@ -331,7 +331,7 @@
     # for example: 'not_empty': 'core/text_blocks/template_for_not_empty.html',
 }
 
-MARKDOWN_CLEAN = True
+MARKDOWN_CLEAN = False
 MARKDOWN_CLEAN_KWARGS = {}  # see https://nh3.readthedocs.io for available kwargs
 
 PROJECT_TABLE_PAGE_SIZE = 20