Make HTML sanitization an optional setting (#1556)

* Add new `HTML_SANITIZATION` server config to make HTML sanitization optional

CTFd/config.ini

@@ -40,6 +40,7 @@ SWAGGER_UI =
 UPDATE_CHECK =
 APPLICATION_ROOT =
 SERVER_SENT_EVENTS =
+HTML_SANITIZATION =
 SQLALCHEMY_MAX_OVERFLOW =
 SQLALCHEMY_POOL_PRE_PING =
 

CTFd/config.py

@@ -297,6 +297,9 @@ class Config(object):
         Specifies what path CTFd is mounted under. It can be used to run CTFd in a subdirectory.
         Example: /ctfd
 
+    HTML_SANITIZATION:
+        Specifies whether CTFd should sanitize HTML content from pages and descriptions
+
     SERVER_SENT_EVENTS:
         Specifies whether or not to enable to server-sent events based Notifications system.
 
@@ -335,6 +338,10 @@ class Config(object):
         or empty_str_cast(config_ini["optional"]["SERVER_SENT_EVENTS"]) \
         or True
 
+    HTML_SANITIZATION: bool = process_boolean_str(os.getenv("HTML_SANITIZATION")) \
+        or empty_str_cast(config_ini["optional"]["HTML_SANITIZATION"]) \
+        or False
+
     if DATABASE_URL.startswith("sqlite") is False:
         SQLALCHEMY_ENGINE_OPTIONS = {
             "max_overflow": int(os.getenv("SQLALCHEMY_MAX_OVERFLOW", 0))

CTFd/utils/config/pages.py

@@ -1,3 +1,5 @@
+from flask import current_app
+
 from CTFd.cache import cache
 from CTFd.models import Pages, db
 from CTFd.utils import markdown
@@ -6,7 +8,8 @@ from CTFd.utils.security.sanitize import sanitize_html
 
 def build_html(html):
     html = markdown(html)
-    html = sanitize_html(html)
+    if current_app.config["HTML_SANITIZATION"] is True:
+        html = sanitize_html(html)
     return html