kwargs are not checked for unexpected parameters #1238
Labels
core
Related to the core parser code.
feature
Feature request.
needs-decision
A decision needs to be made regarding request.
return markdown.markdown(post, output='html5')
For a while I had the code
return markdown.markdown(post, output='html5')
, which seemed to be working OK. However, it turns out that was a typo -- I should have been usingoutput_format
. Normally, the runtime would catch this, but instead**kwargs
are collected and passed to theMarkdown
class, where keys are retrieved as needed.It's not a security issue in this library, as far as I can tell, but this pattern has lead to security issues elsewhere. (Imagine if there were a
safe_output
kwarg that someone typo'd.)I think this could be as simple as having a known-keys set that the kwargs dict's keys are checked against before processing. I'd be happy to contribute a PR if this would be an acceptable approach.
The text was updated successfully, but these errors were encountered: