Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
piks3l
Respect My Net
Commits
23f80053
Commit
23f80053
authored
Apr 30, 2011
by
stef
Browse files
[enh] sanitize html and display it in comments/contract excerpts
parent
972c7dc9
Changes
2
Hide whitespace changes
Inline
Side-by-side
bt/views.py
View file @
23f80053
...
...
@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
from
models
import
Violation
,
Attachment
,
Comment
from
tempfile
import
mkstemp
from
datetime
import
datetime
import
hashlib
,
os
import
hashlib
,
os
,
re
from
urlparse
import
urljoin
from
BeautifulSoup
import
BeautifulSoup
,
Comment
as
BComment
def
sanitizeHtml
(
value
,
base_url
=
None
):
rjs
=
r
'[\s]*(&#x.{1,7})?'
.
join
(
list
(
'javascript:'
))
rvb
=
r
'[\s]*(&#x.{1,7})?'
.
join
(
list
(
'vbscript:'
))
re_scripts
=
re
.
compile
(
'(%s)|(%s)'
%
(
rjs
,
rvb
),
re
.
IGNORECASE
)
validTags
=
'p i strong b u a h1 h2 h3 pre br img'
.
split
()
validAttrs
=
'href src width height'
.
split
()
urlAttrs
=
'href src'
.
split
()
# Attributes which should have a URL
soup
=
BeautifulSoup
(
value
)
for
comment
in
soup
.
findAll
(
text
=
lambda
text
:
isinstance
(
text
,
BComment
)):
# Get rid of comments
comment
.
extract
()
for
tag
in
soup
.
findAll
(
True
):
if
tag
.
name
not
in
validTags
:
tag
.
hidden
=
True
attrs
=
tag
.
attrs
tag
.
attrs
=
[]
for
attr
,
val
in
attrs
:
if
attr
in
validAttrs
:
val
=
re_scripts
.
sub
(
''
,
val
)
# Remove scripts (vbs & js)
if
attr
in
urlAttrs
:
val
=
urljoin
(
base_url
,
val
)
# Calculate the absolute url
tag
.
attrs
.
append
((
attr
,
val
))
return
soup
.
renderContents
().
decode
(
'utf8'
)
def
add
(
request
):
if
request
.
method
==
'POST'
:
...
...
@@ -24,7 +51,7 @@ def add(request):
media
=
form
.
cleaned_data
[
'media'
],
temporary
=
form
.
cleaned_data
[
'temporary'
],
contractual
=
form
.
cleaned_data
[
'contractual'
],
contract_excerpt
=
form
.
cleaned_data
[
'contract_excerpt'
],
contract_excerpt
=
sanitizeHtml
(
form
.
cleaned_data
[
'contract_excerpt'
]
)
,
loophole
=
form
.
cleaned_data
[
'loophole'
]
)
v
.
save
()
...
...
templates/view.html
View file @
23f80053
...
...
@@ -16,7 +16,7 @@
{%if v.media%}
<li><dl><dt>
Media
</dt><dd>
{{v.media}}
</dd></dl></li>
{%endif%}
{%if v.temporary%}
<li><dl><dt>
Temporary restriction
</dt><dd>
{{v.temporary}}
</dd></dl></li>
{%endif%}
{%if v.contractual%}
<li><dl><dt>
Contractual restriction
</dt><dd>
{{v.Contractual}}
</dd></dl></li>
{%endif%}
{%if v.contract_excerpt%}
<li><dl><dt>
Contract excerpt
</dt><dd>
{{v.contract_excerpt}}
</dd></dl></li>
{%endif%}
{%if v.contract_excerpt%}
<li><dl><dt>
Contract excerpt
</dt><dd>
{{v.contract_excerpt
|safe
}}
</dd></dl></li>
{%endif%}
{%if v.loophole%}
<li><dl><dt>
Loophole offering
</dt><dd>
{{v.loophole}}
</dd></dl></li>
{%endif%}
{%if v.comment_set.all%}
<div
id=
"comments"
>
...
...
@@ -24,7 +24,7 @@
{%for c in v.comment_set.all%}
<div
class=
"comment-node"
>
<span
class=
"commenter"
>
{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}
</span>
-
<span
class=
"comment_date"
>
{{c.timestamp|datetimefmt:"short" }}
</span>
<div
class=
"comment"
>
{{c.comment}}
</div>
<div
class=
"comment"
>
{{c.comment
|safe
}}
</div>
{%if c.attachment_set.all%}
<div
class=
"attachs"
>
Attachments
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment