Commit 23f80053 authored by stef's avatar stef

[enh] sanitize html and display it in comments/contract excerpts

parent 972c7dc9
......@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
from models import Violation, Attachment, Comment
from tempfile import mkstemp
from datetime import datetime
import hashlib, os
import hashlib, os, re
from urlparse import urljoin
from BeautifulSoup import BeautifulSoup, Comment as BComment
def sanitizeHtml(value, base_url=None):
rjs = r'[\s]*(&#x.{1,7})?'.join(list('javascript:'))
rvb = r'[\s]*(&#x.{1,7})?'.join(list('vbscript:'))
re_scripts = re.compile('(%s)|(%s)' % (rjs, rvb), re.IGNORECASE)
validTags = 'p i strong b u a h1 h2 h3 pre br img'.split()
validAttrs = 'href src width height'.split()
urlAttrs = 'href src'.split() # Attributes which should have a URL
soup = BeautifulSoup(value)
for comment in soup.findAll(text=lambda text: isinstance(text, BComment)):
# Get rid of comments
comment.extract()
for tag in soup.findAll(True):
if tag.name not in validTags:
tag.hidden = True
attrs = tag.attrs
tag.attrs = []
for attr, val in attrs:
if attr in validAttrs:
val = re_scripts.sub('', val) # Remove scripts (vbs & js)
if attr in urlAttrs:
val = urljoin(base_url, val) # Calculate the absolute url
tag.attrs.append((attr, val))
return soup.renderContents().decode('utf8')
def add(request):
if request.method == 'POST':
......@@ -24,7 +51,7 @@ def add(request):
media = form.cleaned_data['media'],
temporary = form.cleaned_data['temporary'],
contractual = form.cleaned_data['contractual'],
contract_excerpt = form.cleaned_data['contract_excerpt'],
contract_excerpt = sanitizeHtml(form.cleaned_data['contract_excerpt']),
loophole = form.cleaned_data['loophole']
)
v.save()
......
......@@ -16,7 +16,7 @@
{%if v.media%}<li><dl><dt>Media</dt><dd>{{v.media}}</dd></dl></li>{%endif%}
{%if v.temporary%}<li><dl><dt>Temporary restriction</dt><dd>{{v.temporary}}</dd></dl></li>{%endif%}
{%if v.contractual%}<li><dl><dt>Contractual restriction</dt><dd>{{v.Contractual}}</dd></dl></li>{%endif%}
{%if v.contract_excerpt%}<li><dl><dt>Contract excerpt</dt><dd>{{v.contract_excerpt}}</dd></dl></li>{%endif%}
{%if v.contract_excerpt%}<li><dl><dt>Contract excerpt</dt><dd>{{v.contract_excerpt|safe}}</dd></dl></li>{%endif%}
{%if v.loophole%}<li><dl><dt>Loophole offering</dt><dd>{{v.loophole}}</dd></dl></li>{%endif%}
{%if v.comment_set.all%}
<div id="comments">
......@@ -24,7 +24,7 @@
{%for c in v.comment_set.all%}
<div class="comment-node">
<span class="commenter">{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}</span> - <span class="comment_date">{{c.timestamp|datetimefmt:"short" }}</span>
<div class="comment">{{c.comment}}</div>
<div class="comment">{{c.comment|safe}}</div>
{%if c.attachment_set.all%}
<div class="attachs">
Attachments
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment