Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
R
Respect My Net
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
piks3l
Respect My Net
Commits
23f80053
Commit
23f80053
authored
Apr 30, 2011
by
stef
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[enh] sanitize html and display it in comments/contract excerpts
parent
972c7dc9
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
31 additions
and
4 deletions
+31
-4
bt/views.py
bt/views.py
+29
-2
templates/view.html
templates/view.html
+2
-2
No files found.
bt/views.py
View file @
23f80053
...
@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
...
@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
from
models
import
Violation
,
Attachment
,
Comment
from
models
import
Violation
,
Attachment
,
Comment
from
tempfile
import
mkstemp
from
tempfile
import
mkstemp
from
datetime
import
datetime
from
datetime
import
datetime
import
hashlib
,
os
import
hashlib
,
os
,
re
from
urlparse
import
urljoin
from
BeautifulSoup
import
BeautifulSoup
,
Comment
as
BComment
def
sanitizeHtml
(
value
,
base_url
=
None
):
rjs
=
r
'[\s]*(&#x.{1,7})?'
.
join
(
list
(
'javascript:'
))
rvb
=
r
'[\s]*(&#x.{1,7})?'
.
join
(
list
(
'vbscript:'
))
re_scripts
=
re
.
compile
(
'(%s)|(%s)'
%
(
rjs
,
rvb
),
re
.
IGNORECASE
)
validTags
=
'p i strong b u a h1 h2 h3 pre br img'
.
split
()
validAttrs
=
'href src width height'
.
split
()
urlAttrs
=
'href src'
.
split
()
# Attributes which should have a URL
soup
=
BeautifulSoup
(
value
)
for
comment
in
soup
.
findAll
(
text
=
lambda
text
:
isinstance
(
text
,
BComment
)):
# Get rid of comments
comment
.
extract
()
for
tag
in
soup
.
findAll
(
True
):
if
tag
.
name
not
in
validTags
:
tag
.
hidden
=
True
attrs
=
tag
.
attrs
tag
.
attrs
=
[]
for
attr
,
val
in
attrs
:
if
attr
in
validAttrs
:
val
=
re_scripts
.
sub
(
''
,
val
)
# Remove scripts (vbs & js)
if
attr
in
urlAttrs
:
val
=
urljoin
(
base_url
,
val
)
# Calculate the absolute url
tag
.
attrs
.
append
((
attr
,
val
))
return
soup
.
renderContents
().
decode
(
'utf8'
)
def
add
(
request
):
def
add
(
request
):
if
request
.
method
==
'POST'
:
if
request
.
method
==
'POST'
:
...
@@ -24,7 +51,7 @@ def add(request):
...
@@ -24,7 +51,7 @@ def add(request):
media
=
form
.
cleaned_data
[
'media'
],
media
=
form
.
cleaned_data
[
'media'
],
temporary
=
form
.
cleaned_data
[
'temporary'
],
temporary
=
form
.
cleaned_data
[
'temporary'
],
contractual
=
form
.
cleaned_data
[
'contractual'
],
contractual
=
form
.
cleaned_data
[
'contractual'
],
contract_excerpt
=
form
.
cleaned_data
[
'contract_excerpt'
]
,
contract_excerpt
=
sanitizeHtml
(
form
.
cleaned_data
[
'contract_excerpt'
])
,
loophole
=
form
.
cleaned_data
[
'loophole'
]
loophole
=
form
.
cleaned_data
[
'loophole'
]
)
)
v
.
save
()
v
.
save
()
...
...
templates/view.html
View file @
23f80053
...
@@ -16,7 +16,7 @@
...
@@ -16,7 +16,7 @@
{%if v.media%}
<li><dl><dt>
Media
</dt><dd>
{{v.media}}
</dd></dl></li>
{%endif%}
{%if v.media%}
<li><dl><dt>
Media
</dt><dd>
{{v.media}}
</dd></dl></li>
{%endif%}
{%if v.temporary%}
<li><dl><dt>
Temporary restriction
</dt><dd>
{{v.temporary}}
</dd></dl></li>
{%endif%}
{%if v.temporary%}
<li><dl><dt>
Temporary restriction
</dt><dd>
{{v.temporary}}
</dd></dl></li>
{%endif%}
{%if v.contractual%}
<li><dl><dt>
Contractual restriction
</dt><dd>
{{v.Contractual}}
</dd></dl></li>
{%endif%}
{%if v.contractual%}
<li><dl><dt>
Contractual restriction
</dt><dd>
{{v.Contractual}}
</dd></dl></li>
{%endif%}
{%if v.contract_excerpt%}
<li><dl><dt>
Contract excerpt
</dt><dd>
{{v.contract_excerpt}}
</dd></dl></li>
{%endif%}
{%if v.contract_excerpt%}
<li><dl><dt>
Contract excerpt
</dt><dd>
{{v.contract_excerpt
|safe
}}
</dd></dl></li>
{%endif%}
{%if v.loophole%}
<li><dl><dt>
Loophole offering
</dt><dd>
{{v.loophole}}
</dd></dl></li>
{%endif%}
{%if v.loophole%}
<li><dl><dt>
Loophole offering
</dt><dd>
{{v.loophole}}
</dd></dl></li>
{%endif%}
{%if v.comment_set.all%}
{%if v.comment_set.all%}
<div
id=
"comments"
>
<div
id=
"comments"
>
...
@@ -24,7 +24,7 @@
...
@@ -24,7 +24,7 @@
{%for c in v.comment_set.all%}
{%for c in v.comment_set.all%}
<div
class=
"comment-node"
>
<div
class=
"comment-node"
>
<span
class=
"commenter"
>
{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}
</span>
-
<span
class=
"comment_date"
>
{{c.timestamp|datetimefmt:"short" }}
</span>
<span
class=
"commenter"
>
{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}
</span>
-
<span
class=
"comment_date"
>
{{c.timestamp|datetimefmt:"short" }}
</span>
<div
class=
"comment"
>
{{c.comment}}
</div>
<div
class=
"comment"
>
{{c.comment
|safe
}}
</div>
{%if c.attachment_set.all%}
{%if c.attachment_set.all%}
<div
class=
"attachs"
>
<div
class=
"attachs"
>
Attachments
Attachments
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment