Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
La Quadrature du Net
Respect My Net
Commits
23f80053
Commit
23f80053
authored
Apr 30, 2011
by
stef
Browse files
[enh] sanitize html and display it in comments/contract excerpts
parent
972c7dc9
Changes
2
Show whitespace changes
Inline
Side-by-side
bt/views.py
View file @
23f80053
...
...
@@ -9,7 +9,34 @@ from django.core.exceptions import ObjectDoesNotExist
from
models
import
Violation
,
Attachment
,
Comment
from
tempfile
import
mkstemp
from
datetime
import
datetime
import
hashlib
,
os
import
hashlib
,
os
,
re
from
urlparse
import
urljoin
from
BeautifulSoup
import
BeautifulSoup
,
Comment
as
BComment
def
sanitizeHtml
(
value
,
base_url
=
None
):
rjs
=
r
'[\s]*(&#x.{1,7})?'
.
join
(
list
(
'javascript:'
))
rvb
=
r
'[\s]*(&#x.{1,7})?'
.
join
(
list
(
'vbscript:'
))
re_scripts
=
re
.
compile
(
'(%s)|(%s)'
%
(
rjs
,
rvb
),
re
.
IGNORECASE
)
validTags
=
'p i strong b u a h1 h2 h3 pre br img'
.
split
()
validAttrs
=
'href src width height'
.
split
()
urlAttrs
=
'href src'
.
split
()
# Attributes which should have a URL
soup
=
BeautifulSoup
(
value
)
for
comment
in
soup
.
findAll
(
text
=
lambda
text
:
isinstance
(
text
,
BComment
)):
# Get rid of comments
comment
.
extract
()
for
tag
in
soup
.
findAll
(
True
):
if
tag
.
name
not
in
validTags
:
tag
.
hidden
=
True
attrs
=
tag
.
attrs
tag
.
attrs
=
[]
for
attr
,
val
in
attrs
:
if
attr
in
validAttrs
:
val
=
re_scripts
.
sub
(
''
,
val
)
# Remove scripts (vbs & js)
if
attr
in
urlAttrs
:
val
=
urljoin
(
base_url
,
val
)
# Calculate the absolute url
tag
.
attrs
.
append
((
attr
,
val
))
return
soup
.
renderContents
().
decode
(
'utf8'
)
def
add
(
request
):
if
request
.
method
==
'POST'
:
...
...
@@ -24,7 +51,7 @@ def add(request):
media
=
form
.
cleaned_data
[
'media'
],
temporary
=
form
.
cleaned_data
[
'temporary'
],
contractual
=
form
.
cleaned_data
[
'contractual'
],
contract_excerpt
=
form
.
cleaned_data
[
'contract_excerpt'
],
contract_excerpt
=
sanitizeHtml
(
form
.
cleaned_data
[
'contract_excerpt'
]
)
,
loophole
=
form
.
cleaned_data
[
'loophole'
]
)
v
.
save
()
...
...
templates/view.html
View file @
23f80053
...
...
@@ -16,7 +16,7 @@
{%if v.media%}
<li><dl><dt>
Media
</dt><dd>
{{v.media}}
</dd></dl></li>
{%endif%}
{%if v.temporary%}
<li><dl><dt>
Temporary restriction
</dt><dd>
{{v.temporary}}
</dd></dl></li>
{%endif%}
{%if v.contractual%}
<li><dl><dt>
Contractual restriction
</dt><dd>
{{v.Contractual}}
</dd></dl></li>
{%endif%}
{%if v.contract_excerpt%}
<li><dl><dt>
Contract excerpt
</dt><dd>
{{v.contract_excerpt}}
</dd></dl></li>
{%endif%}
{%if v.contract_excerpt%}
<li><dl><dt>
Contract excerpt
</dt><dd>
{{v.contract_excerpt
|safe
}}
</dd></dl></li>
{%endif%}
{%if v.loophole%}
<li><dl><dt>
Loophole offering
</dt><dd>
{{v.loophole}}
</dd></dl></li>
{%endif%}
{%if v.comment_set.all%}
<div
id=
"comments"
>
...
...
@@ -24,7 +24,7 @@
{%for c in v.comment_set.all%}
<div
class=
"comment-node"
>
<span
class=
"commenter"
>
{%if c.submitter_nick%}{{c.submitter_nick}}{%else%}{{c.submitter_email}}{%endif%}
</span>
-
<span
class=
"comment_date"
>
{{c.timestamp|datetimefmt:"short" }}
</span>
<div
class=
"comment"
>
{{c.comment}}
</div>
<div
class=
"comment"
>
{{c.comment
|safe
}}
</div>
{%if c.attachment_set.all%}
<div
class=
"attachs"
>
Attachments
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment