From 3cb67a97ec78f4d0056841165af30fa12c48d8bd Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@ctfd.io>
Date: Fri, 11 Jun 2021 10:21:03 -0400
Subject: [PATCH] Bump pybluemonday version to 0.0.6 and allow HTML comments in
 sanitized output (#1908)

* Bump pybluemonday version to 0.0.6
* Allow HTML comments in sanitized output
* Closes #1906
---
 CTFd/utils/security/sanitize.py | 3 +++
 requirements.in                 | 2 +-
 requirements.txt                | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CTFd/utils/security/sanitize.py b/CTFd/utils/security/sanitize.py
index 0cef2532..5ad1b9c8 100644
--- a/CTFd/utils/security/sanitize.py
+++ b/CTFd/utils/security/sanitize.py
@@ -92,6 +92,9 @@ SANITIZER.RequireNoFollowOnLinks(True)
 SANITIZER.RequireNoReferrerOnFullyQualifiedLinks(True)
 SANITIZER.RequireNoReferrerOnLinks(True)
 
+# Allow Comments
+SANITIZER.AllowComments()
+
 
 def sanitize_html(html):
     return SANITIZER.sanitize(html)
diff --git a/requirements.in b/requirements.in
index fbfb89c1..cec7a83c 100644
--- a/requirements.in
+++ b/requirements.in
@@ -28,4 +28,4 @@ WTForms==2.3.1
 python-geoacumen==0.0.1
 maxminddb==1.5.4
 tenacity==6.2.0
-pybluemonday==0.0.4
+pybluemonday==0.0.6
diff --git a/requirements.txt b/requirements.txt
index 1b288d70..2ac4f6b9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -39,7 +39,7 @@ marshmallow-sqlalchemy==0.17.0  # via -r requirements.in
 marshmallow==2.20.2       # via -r requirements.in, flask-marshmallow, marshmallow-sqlalchemy
 maxminddb==1.5.4          # via -r requirements.in, python-geoacumen
 passlib==1.7.2            # via -r requirements.in
-pybluemonday==0.0.4       # via -r requirements.in
+pybluemonday==0.0.6       # via -r requirements.in
 pycparser==2.20           # via cffi
 pydantic==1.5.1           # via -r requirements.in
 pymysql==0.9.3            # via -r requirements.in