Commit 23f80053 authored by stef's avatar stef
Browse files

[enh] sanitize html and display it in comments/contract excerpts

parent 972c7dc9
...@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist ...@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
from models import Violation, Attachment, Comment from models import Violation, Attachment, Comment
from tempfile import mkstemp from tempfile import mkstemp
from datetime import datetime from datetime import datetime
import hashlib, os import hashlib, os, re
from urlparse import urljoin
from BeautifulSoup import BeautifulSoup, Comment as BComment
def sanitizeHtml(value, base_url=None):
rjs = r'[\s]*(&#x.{1,7})?'.join(list('javascript:'))
rvb = r'[\s]*(&#x.{1,7})?'.join(list('vbscript:'))
re_scripts = re.compile('(%s)|(%s)' % (rjs, rvb), re.IGNORECASE)
validTags = 'p i strong b u a h1 h2 h3 pre br img'.split()
validAttrs = 'href src width height'.split()
urlAttrs = 'href src'.split() # Attributes which should have a URL
soup = BeautifulSoup(value)
for comment in soup.findAll(text=lambda text: isinstance(text, BComment)):
# Get rid of comments
comment.extract()
for tag in soup.findAll(True):
if tag.name not in validTags:
tag.hidden = True
attrs = tag.attrs
tag.attrs = []
for attr, val in attrs:
if attr in validAttrs:
val = re_scripts.sub('', val) # Remove scripts (vbs & js)
if attr in urlAttrs:
val = urljoin(base_url, val) # Calculate the absolute url
tag.attrs.append((attr, val))
return soup.renderContents().decode('utf8')
def add(request): def add(request):
if request.method == 'POST': if request.method == 'POST':
...@@ -24,7 +51,7 @@ def add(request): ...@@ -24,7 +51,7 @@ def add(request):
media = form.cleaned_data['media'], media = form.cleaned_data['media'],
temporary = form.cleaned_data['temporary'], temporary = form.cleaned_data['temporary'],
contractual = form.cleaned_data['contractual'], contractual = form.cleaned_data['contractual'],
contract_excerpt = form.cleaned_data['contract_excerpt'], contract_excerpt = sanitizeHtml(form.cleaned_data['contract_excerpt']),
loophole = form.cleaned_data['loophole'] loophole = form.cleaned_data['loophole']
) )
v.save() v.save()
......
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
{%if v.media%}<li><dl><dt>Media</dt><dd>{{v.media}}</dd></dl></li>{%endif%} {%if v.media%}<li><dl><dt>Media</dt><dd>{{v.media}}</dd></dl></li>{%endif%}
{%if v.temporary%}<li><dl><dt>Temporary restriction</dt><dd>{{v.temporary}}</dd></dl></li>{%endif%} {%if v.temporary%}<li><dl><dt>Temporary restriction</dt><dd>{{v.temporary}}</dd></dl></li>{%endif%}
{%if v.contractual%}<li><dl><dt>Contractual restriction</dt><dd>{{v.Contractual}}</dd></dl></li>{%endif%} {%if v.contractual%}<li><dl><dt>Contractual restriction</dt><dd>{{v.Contractual}}</dd></dl></li>{%endif%}
{%if v.contract_excerpt%}<li><dl><dt>Contract excerpt</dt><dd>{{v.contract_excerpt}}</dd></dl></li>{%endif%} {%if v.contract_excerpt%}<li><dl><dt>Contract excerpt</dt><dd>{{v.contract_excerpt|safe}}</dd></dl></li>{%endif%}
{%if v.loophole%}<li><dl><dt>Loophole offering</dt><dd>{{v.loophole}}</dd></dl></li>{%endif%} {%if v.loophole%}<li><dl><dt>Loophole offering</dt><dd>{{v.loophole}}</dd></dl></li>{%endif%}
{%if v.comment_set.all%} {%if v.comment_set.all%}
<div id="comments"> <div id="comments">
...@@ -24,7 +24,7 @@ ...@@ -24,7 +24,7 @@
{%for c in v.comment_set.all%} {%for c in v.comment_set.all%}
<div class="comment-node"> <div class="comment-node">
<span class="commenter">{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}</span> - <span class="comment_date">{{c.timestamp|datetimefmt:"short" }}</span> <span class="commenter">{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}</span> - <span class="comment_date">{{c.timestamp|datetimefmt:"short" }}</span>
<div class="comment">{{c.comment}}</div> <div class="comment">{{c.comment|safe}}</div>
{%if c.attachment_set.all%} {%if c.attachment_set.all%}
<div class="attachs"> <div class="attachs">
Attachments Attachments
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment