3 files changed, 27 insertions, 6 deletions

diff --git a/apioforum/mdrender.py b/apioforum/mdrender.py
new file mode 100644
index 0000000..20e86bb
--- /dev/null
+++ b/apioforum/mdrender.py
@@ -0,0 +1,23 @@
+import bleach
+
+allowed_tags = [
+    'p',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'pre',
+    'del',
+]
+allowed_tags.extend(bleach.sanitizer.ALLOWED_TAGS)
+
+cleaner = bleach.sanitizer.Cleaner(tags=allowed_tags)
+
+import markdown
+md = markdown.Markdown(extensions=['pymdownx.tilde'])
+
+def render(text):
+    text = md.reset().convert(text)
+    text = cleaner.clean(text)
+    return text
diff --git a/apioforum/thread.py b/apioforum/thread.py
index b9697ce..3378982 100644
--- a/apioforum/thread.py
+++ b/apioforum/thread.py
@@ -5,11 +5,7 @@ from flask import (
     url_for, flash
 )
 from .db import get_db
-
-def render_md(md):
-    from markdown import markdown
-    from markupsafe import escape
-    return markdown(escape(md))
+from .mdrender import render
 
 bp = Blueprint("thread", __name__, url_prefix="/thread")
 
@@ -24,7 +20,7 @@ def view_thread(thread_id):
             "SELECT * FROM posts WHERE thread = ? ORDER BY created ASC;",
             (thread_id,)
         ).fetchall()
-        rendered_posts = [render_md(q['content']) for q in posts]
+        rendered_posts = [render(q['content']) for q in posts]
         return render_template("view_thread.html",posts=posts,thread=thread,thread_id=thread_id,rendered_posts=rendered_posts)
 
 @bp.route("/<int:thread_id>/create_post", methods=("POST",))
diff --git a/setup.py b/setup.py
index 9282914..089f3a4 100644
--- a/setup.py
+++ b/setup.py
@@ -8,5 +8,7 @@ setup(
     install_requires = [
         'flask',
         'markdown',
+        'bleach',
+        'pymdown-extensions',
     ],
 )