[enh] sanitize html and display it in comments/contract excerpts

23f80053 · stef · 972c7dc9 · 23f80053 · 23f80053
Commit 23f80053 authored Apr 30, 2011 by stef
--- a/bt/views.py
+++ b/bt/views.py
@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
 from models import Violation, Attachment, Comment
 from tempfile import mkstemp
 from datetime import datetime
-import hashlib, os
+import hashlib, os, re
+from urlparse import urljoin
+from BeautifulSoup import BeautifulSoup, Comment as BComment
+def sanitizeHtml(value, base_url=None):
+    rjs = r'[\s]*(&#x.{1,7})?'.join(list('javascript:'))
+    rvb = r'[\s]*(&#x.{1,7})?'.join(list('vbscript:'))
+    re_scripts = re.compile('(%s)|(%s)' % (rjs, rvb), re.IGNORECASE)
+    validTags = 'p i strong b u a h1 h2 h3 pre br img'.split()
+    validAttrs = 'href src width height'.split()
+    urlAttrs = 'href src'.split() # Attributes which should have a URL
+    soup = BeautifulSoup(value)
+    for comment in soup.findAll(text=lambda text: isinstance(text, BComment)):
+        # Get rid of comments
+        comment.extract()
+    for tag in soup.findAll(True):
+        if tag.name not in validTags:
+            tag.hidden = True
+        attrs = tag.attrs
+        tag.attrs = []
+        for attr, val in attrs:
+            if attr in validAttrs:
+                val = re_scripts.sub('', val) # Remove scripts (vbs & js)
+                if attr in urlAttrs:
+                    val = urljoin(base_url, val) # Calculate the absolute url
+                tag.attrs.append((attr, val))
+    return soup.renderContents().decode('utf8')
 def add(request):
    if request.method == 'POST':
@@ -24,7 +51,7 @@ def add(request):
                media = form.cleaned_data['media'],
                temporary = form.cleaned_data['temporary'],
                contractual = form.cleaned_data['contractual'],
-                contract_excerpt = form.cleaned_data['contract_excerpt'],
+                contract_excerpt = sanitizeHtml(form.cleaned_data['contract_excerpt']),
                loophole = form.cleaned_data['loophole']
                )
            v.save()

--- a/templates/view.html
+++ b/templates/view.html
@@ -16,7 +16,7 @@
  {%if v.media%}<li><dl><dt>Media</dt><dd>{{v.media}}</dd></dl></li>{%endif%}
  {%if v.temporary%}<li><dl><dt>Temporary restriction</dt><dd>{{v.temporary}}</dd></dl></li>{%endif%}
  {%if v.contractual%}<li><dl><dt>Contractual restriction</dt><dd>{{v.Contractual}}</dd></dl></li>{%endif%}
-  {%if v.contract_excerpt%}<li><dl><dt>Contract excerpt</dt><dd>{{v.contract_excerpt}}</dd></dl></li>{%endif%}
+  {%if v.contract_excerpt%}<li><dl><dt>Contract excerpt</dt><dd>{{v.contract_excerpt|safe}}</dd></dl></li>{%endif%}
  {%if v.loophole%}<li><dl><dt>Loophole offering</dt><dd>{{v.loophole}}</dd></dl></li>{%endif%}
  {%if v.comment_set.all%}
  <div id="comments">
@@ -24,7 +24,7 @@
    {%for c in v.comment_set.all%}
    <div class="comment-node">
      <span class="commenter">{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}</span> - <span class="comment_date">{{c.timestamp|datetimefmt:"short" }}</span>
-      <div class="comment">{{c.comment}}</div>
+      <div class="comment">{{c.comment|safe}}</div>
      {%if c.attachment_set.all%}
      <div class="attachs">
        Attachments