Skip to content

Commit 6e9bb00

Browse files
committed
Changed html cleaning to differentiate between fragment cleaning and document cleaning. Added an lxml-based cleaner for document cleaning, also permitting <style> tags (but not external style sheets).
- Legacy-Id: 14775
1 parent f3f77dc commit 6e9bb00

7 files changed

Lines changed: 12 additions & 19 deletions

File tree

ietf/doc/templatetags/ietf_filters.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919

2020
from ietf.doc.models import ConsensusDocEvent
2121
from ietf.utils.text import wordwrap, fill, wrap_text_if_unwrapped
22+
from ietf.utils.html import sanitize_fragment
2223

2324
register = template.Library()
2425

@@ -130,15 +131,14 @@ def format_textarea(value):
130131
Also calls keep_spacing."""
131132
return keep_spacing(linebreaksbr(escape(value).replace('&lt;b&gt;','<b>').replace('&lt;/b&gt;','</b>').replace('&lt;br&gt;','<br>')))
132133

133-
@register.filter(name='sanitize_html')
134-
def sanitize_html(value):
134+
@register.filter(name='sanitize')
135+
def sanitize(value):
135136
"""Sanitizes an HTML fragment.
136137
This means both fixing broken html and restricting elements and
137138
attributes to those deemed acceptable. See ietf/utils/html.py
138139
for the details.
139140
"""
140-
from ietf.utils.html import sanitize_html
141-
return sanitize_html(value)
141+
return mark_safe(sanitize_fragment(value))
142142

143143

144144
# For use with ballot view
@@ -374,7 +374,7 @@ def format_snippet(text, trunc_words=25):
374374
# expressions, for instance [REF](http://example.com/foo)
375375
# Use bleach.linkify instead
376376
text = bleach.linkify(text)
377-
full = keep_spacing(collapsebr(linebreaksbr(mark_safe(sanitize_html(text)))))
377+
full = keep_spacing(collapsebr(linebreaksbr(mark_safe(sanitize_fragment(text)))))
378378
snippet = truncatewords_html(full, trunc_words)
379379
if snippet != full:
380380
return mark_safe(u'<div class="snippet">%s<button class="btn btn-xs btn-default show-all"><span class="fa fa-caret-down"></span></button></div><div class="hidden full">%s</div>' % (snippet, full))

ietf/secr/proceedings/utils.py

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88

99
import debug # pyflakes:ignore
1010

11-
from ietf.utils.html import sanitize_html
11+
from ietf.utils.html import sanitize_document
1212

1313
def handle_upload_file(file,filename,meeting,subdir, request=None):
1414
'''
@@ -40,14 +40,7 @@ def handle_upload_file(file,filename,meeting,subdir, request=None):
4040
text = smart_text(file.read())
4141
# Whole file sanitization; add back what's missing from a complete
4242
# document (sanitize will remove these).
43-
clean = u"""<!DOCTYPE html>
44-
<html lang="en">
45-
<head><title>%s</title></head>
46-
<body>
47-
%s
48-
</body>
49-
</html>
50-
""" % (filename, sanitize_html(text))
43+
clean = sanitize_document(text)
5144
destination.write(clean.encode('utf8'))
5245
if request and clean != text:
5346
messages.warning(request, "Uploaded html content is sanitized to prevent unsafe content. "

ietf/templates/doc/document_charter.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -204,7 +204,7 @@ <h2>Charter<br><small>{{ doc.canonical_name }}-{{ doc.rev }}</small></h2>
204204
{% endif %}
205205

206206
{% if doc.rev != "" %}
207-
{{ content|safe|keep_spacing|sanitize_html|wordwrap:80|safe }}
207+
{{ content|safe|keep_spacing|sanitize|wordwrap:80|safe }}
208208
{% endif %}
209209

210210
{% if not snapshot and chartering %}

ietf/templates/doc/document_conflict_review.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,6 @@ <h2>Conflict review<br><small>{{ conflictdoc.name }}-{{ conflictdoc.rev }}</smal
142142

143143
{% if doc.rev %}
144144
<p></p>
145-
{{ content|fill:"80"|safe|linebreaksbr|keep_spacing|sanitize_html|safe }}
145+
{{ content|fill:"80"|safe|linebreaksbr|keep_spacing|sanitize }}
146146
{% endif %}
147147
{% endblock %}

ietf/templates/doc/document_material.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@
124124
<h2>{% if doc.meeting_related %}Meeting{% endif %} {{ doc.type.name }}<br><small>{{ doc.name }}</small></h2>
125125

126126
{% if doc.rev and content != None %}
127-
{{ content|maybewordwrap|safe|linebreaksbr|keep_spacing|sanitize_html|safe }}
127+
{{ content|maybewordwrap|safe|linebreaksbr|keep_spacing|sanitize }}
128128
{% else %}
129129
<p>Not available as plain text.</p>
130130

ietf/templates/doc/document_review.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,6 @@
5555
<h2>{{ doc.type.name }}<br><small>{{ doc.name }}</small></h2>
5656

5757
{% if doc.rev and content != None %}
58-
<pre class="pasted">{{ content|linkify|safe|sanitize_html|safe }}</pre>
58+
<pre class="pasted">{{ content|linkify|safe|sanitize }}</pre>
5959
{% endif %}
6060
{% endblock %}

ietf/templates/doc/document_status_change.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@
155155
</p>
156156

157157
{% if doc.rev %}
158-
{{ content|fill:"80"|safe|linebreaksbr|keep_spacing|sanitize_html|safe }}
158+
{{ content|fill:"80"|safe|linebreaksbr|keep_spacing|sanitize }}
159159
{% endif %}
160160

161161
{% endblock %}

0 commit comments

Comments
 (0)