Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Sanitize content with bleach

  • Loading branch information...
commit b1fc3068edbf4cfeef3db22cb85034035a0446d8 1 parent 0e8fbca
@idan authored
Showing with 20 additions and 2 deletions.
  1. +19 −2 gistio.py
  2. +1 −0  requirements.txt
View
21 gistio.py
@@ -4,6 +4,7 @@
from redis import StrictRedis
from markdown2 import markdown
import requests
+import bleach
from flask import Flask, render_template, make_response, abort
app = Flask(__name__)
@@ -23,6 +24,20 @@
RENDERABLE = [u'Markdown', u'Text']
+ALLOWED_TAGS = [
+ "a", "abbr", "acronym", "b", "blockquote", "code", "em", "i", "li", "ol", "strong",
+ "ul", "br", "img", "span", "div", "pre", "p", "dl", "dd", "dt", "tt", "cite", "h1",
+ "h2", "h3", "h4", "h5", "h6", "table", "col", "tr", "td", "th", "tbody", "thead",
+ "colgroup",
+]
+
+ALLOWED_ATTRIBUTES = {
+ "a": ["href", "title"],
+ "acronym": ["title"],
+ "abbr": ["title"],
+ "img": ["src"],
+}
+
@app.route('/')
def homepage():
return render_template('home.html', static_url=STATIC_URL)
@@ -51,12 +66,14 @@ def fetch_and_render(id):
return None
decoded = r.json.copy()
for f in decoded['files'].values():
- f['rendered'] = markdown(f['content'])
if f['language'] in RENDERABLE:
+ f['rendered'] = bleach.clean(markdown(f['content']),
+ tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
encoded = json.dumps(decoded)
cache.setex(id, CACHE_EXPIRATION, encoded)
return encoded
if __name__ == '__main__':
- app.run(host='0.0.0.0', port=PORT)
+ cache.flushall()
+ app.run(host='0.0.0.0', debug=True, port=PORT)
View
1  requirements.txt
@@ -1,3 +1,4 @@
+bleach==1.1.4
Flask==0.9
hiredis==0.1.1
markdown2==2.0.0
Please sign in to comment.
Something went wrong with that request. Please try again.