|
| 1 | +ietfdb (6.75.1) ietf; urgency=medium |
| 2 | + |
| 3 | + **Modified HTML upload sanitization** |
| 4 | + |
| 5 | + Feedback from wgchairs@ietf.org indicated that stripping out all styling |
| 6 | + from uploaded files is too harsh. This release modifies the sanitization to |
| 7 | + permit <style> tags in the uploads, and differentiates between fragment |
| 8 | + santitization (through the 'sanitize' template filter) and document |
| 9 | + santitization. This release also addresses some other issue encountered |
| 10 | + with the new upload code, and introduces saving of uploaded files in a |
| 11 | + consistent encoding (UTF-8). From the commitlog: |
| 12 | + |
| 13 | + * Added handling for when file magic doesn't return a definitive encoding |
| 14 | + for a file. Added a test case to excercise upload error cases. |
| 15 | + |
| 16 | + * Changed the meeting materials uploads to use the upload file encoding |
| 17 | + found by file-magic when decoding the upload content, and also return |
| 18 | + errors to the user if decoding the upload fails. Fixes issue #2469. This |
| 19 | + will also have the benefit (since we're saving with utf-8 encoding after |
| 20 | + decoding) of having meeting materials consistently stored with a the same |
| 21 | + encoding on the server. |
| 22 | + |
| 23 | + * Added a new argument encoding= to handle_upload_file() in order to be |
| 24 | + able to deal better with various upload encodings. |
| 25 | + |
| 26 | + * Tweaked the mime type validator so it can be called also when there's no |
| 27 | + explicitly required mime types, in order to consistently return mime-type |
| 28 | + and encoding. |
| 29 | + |
| 30 | + * Changed to an empty iterable instead of None in the valid upload |
| 31 | + mime-types settings when there's no required mime type, in order to |
| 32 | + simplify other code. |
| 33 | + |
| 34 | + * Return encoding information to the FileUploadForm when doing mime type |
| 35 | + validation, for later use in decoding. |
| 36 | + |
| 37 | + * Changed html cleaning to differentiate between fragment cleaning and |
| 38 | + document cleaning. Added an lxml-based cleaner for document cleaning, also |
| 39 | + permitting <style> tags (but not external style sheets). |
| 40 | + |
| 41 | + * Changed order of arguments in a test assert for better error legibility. |
| 42 | + |
| 43 | + * Updated PLAN |
| 44 | + |
| 45 | + -- Henrik Levkowetz <henrik@levkowetz.com> 14 Mar 2018 10:35:54 +0000 |
| 46 | + |
| 47 | + |
1 | 48 | ietfdb (6.75.0) ietf; urgency=medium |
2 | 49 |
|
3 | 50 | **Sanitization of HTML uploads** |
|
0 commit comments