Derive "safeHtml" from all "bodyHtml" values

aleph/tests/test_entities_api.py

@@ -125,6 +125,47 @@ def test_view_bookmarked(self):
         res = self.client.get(url, headers=headers)
         assert res.json["bookmarked"], res.json
 
+    def test_view_sanitize_html(self):
+        data = {
+            "schema": "HyperText",
+            "properties": {
+                "bodyHtml": "<style>body { color: red; }</style><p>Hello World!</p><script>alert('Ooops')</script>",
+            },
+        }
+
+        entity = self.create_entity(data, self.col)
+        index_entity(entity)
+
+        _, headers = self.login(is_admin=True)
+        url = f"/api/2/entities/{entity.id}"
+        res = self.client.get(url, headers=headers)
+
+        actual = res.json["safeHtml"]
+        expected = ["<html><body><div><p>Hello World!</p></div></body></html>"]
+        assert actual == expected, actual
+
+    def test_view_sanitize_html_multi_value(self):
+        data = {
+            "schema": "Email",
+            "properties": {
+                "bodyHtml": ["This is part 1.", "This is part 2."],
+            },
+        }
+
+        entity = self.create_entity(data, self.col)
+        index_entity(entity)
+
+        _, headers = self.login(is_admin=True)
+        url = f"/api/2/entities/{entity.id}"
+        res = self.client.get(url, headers=headers)
+
+        actual = res.json["safeHtml"]
+        expected = [
+            "<html><body><p>This is part 1.</p></body></html>",
+            "<html><body><p>This is part 2.</p></body></html>",
+        ]
+        assert actual == expected, actual
+
     def test_update(self):
         _, headers = self.login(is_admin=True)
         url = "/api/2/entities/%s" % self.id

aleph/views/entities_api.py

@@ -305,10 +305,12 @@ def view(entity_id):
     entity = get_index_entity(entity_id, request.authz.READ, excludes=excludes)
     tag_request(collection_id=entity.get("collection_id"))
     proxy = model.get_proxy(entity)
-    html = proxy.first("bodyHtml", quiet=True)
+    html = proxy.get("bodyHtml", quiet=True)
     source_url = proxy.first("sourceUrl", quiet=True)
     encoding = proxy.first("encoding", quiet=True)
-    entity["safeHtml"] = sanitize_html(html, source_url, encoding=encoding)
+    entity["safeHtml"] = [
+        sanitize_html(value, source_url, encoding=encoding) for value in html
+    ]
     entity["shallow"] = False
 
     if request.authz.logged_in:

requirements.txt

@@ -1,6 +1,6 @@
 # Dependencies maintained by OCCRP
 banal==1.0.6
-followthemoney==3.4.3
+followthemoney==3.4.4
 followthemoney-store[postgresql]==3.0.5
 followthemoney-compare==0.4.4
 fingerprints==1.0.3

ui/src/viewers/EmailViewer.jsx

@@ -73,16 +73,22 @@ class EmailViewer extends PureComponent {
 
   renderBody() {
     const { document } = this.props;
+
     if (document.isPending) {
       return <Skeleton.Text type="span" length={1000} />;
     }
+
     if (document.safeHtml && document.safeHtml.length) {
-      return <span dangerouslySetInnerHTML={{ __html: document.safeHtml }} />;
+      return document.safeHtml.map((value, index) => (
+        <div key={index} dangerouslySetInnerHTML={{ __html: value }} />
+      ));
     }
+
     const bodyText = document.getFirst('bodyText');
     if (bodyText && bodyText.length > 0) {
       return <Pre>{bodyText}</Pre>;
     }
+
     return (
       <p className={Classes.TEXT_MUTED}>
         <FormattedMessage

ui/src/viewers/HtmlViewer.jsx

@@ -10,7 +10,9 @@ class HtmlViewer extends Component {
     const body = document.isPending ? (
       <Skeleton.Text type="p" length={4000} />
     ) : (
-      <span dangerouslySetInnerHTML={{ __html: document.safeHtml }} />
+      document.safeHtml.map((value, index) => (
+        <div key={index} dangerouslySetInnerHTML={{ __html: value }} />
+      ))
     );
     return (
       <div className="outer">