Support Markdown in announcement & sanitize HTML

indico · Jan 27, 2023 · ed31c14 · ed31c14
1 parent b8f4858
commit ed31c14
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 7 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -20,6 +20,8 @@ Improvements
   (:pr:`5608`)
 - Add setting to only allow managers to upload attachments to events and
   contributions (:pr:`5597`)
+- Support Markdown when writing global announcement and apply standard HTML
+  sanitization to the message (:pr:`5640`)
 
 Bugfixes
 ^^^^^^^^

diff --git a/indico/modules/announcement/__init__.py b/indico/modules/announcement/__init__.py
@@ -10,6 +10,7 @@
 from indico.core import signals
 from indico.core.settings import SettingsProxy
 from indico.util.i18n import _
+from indico.util.string import render_markdown
 from indico.web.flask.templating import template_hook
 from indico.web.flask.util import url_for
 from indico.web.menu import SideMenuItem
@@ -25,9 +26,8 @@
 def _inject_announcement_header(**kwargs):
     if not announcement_settings.get('enabled'):
         return
-    message = announcement_settings.get('message')
-    if message:
-        return ('warning', message)
+    if message := announcement_settings.get('message'):
+        return ('warning', render_markdown(message, extra_html=True))
 
 
 @signals.menu.items.connect_via('admin-sidemenu')

diff --git a/indico/modules/announcement/forms.py b/indico/modules/announcement/forms.py
@@ -16,4 +16,5 @@
 
 class AnnouncementForm(IndicoForm):
     enabled = BooleanField(_('Enabled'), widget=SwitchWidget())
-    message = TextAreaField(_('Message'), [UsedIf(lambda form, _: form.enabled.data), DataRequired()])
+    message = TextAreaField(_('Message'), [UsedIf(lambda form, _: form.enabled.data), DataRequired()],
+                            description=_('You may use Markdown and basic HTML elements for formatting.'))
diff --git a/indico/util/string.py b/indico/util/string.py
@@ -137,14 +137,15 @@ def strip_tags(text):
     return do_striptags(text)
 
 
-def render_markdown(text, escape_latex_math=True, md=None, **kwargs):
+def render_markdown(text, escape_latex_math=True, md=None, extra_html=False, **kwargs):
     """Mako markdown to HTML filter.
 
     :param text: Markdown source to convert to HTML
     :param escape_latex_math: Whether math expression should be left untouched or a function that will be called
                               to replace math-mode segments.
     :param md: An alternative markdown processor (can be used
                to generate e.g. a different format)
+    :param extra_html: Whether to allow a bigger set of HTML tags
     :param kwargs: Extra arguments to pass on to the markdown
                    processor
     """
@@ -163,8 +164,11 @@ def _math_replace(m):
     if md is None:
         extensions = set(kwargs.pop('extensions', ()))
         extensions.add('fenced_code')
-        result = bleach.clean(markdown.markdown(text, extensions=tuple(extensions), **kwargs), tags=BLEACH_ALLOWED_TAGS,
-                              attributes=BLEACH_ALLOWED_ATTRIBUTES)
+        result = markdown.markdown(text, extensions=tuple(extensions), **kwargs)
+        if extra_html:
+            result = sanitize_html(result)
+        else:
+            result = bleach.clean(result, tags=BLEACH_ALLOWED_TAGS, attributes=BLEACH_ALLOWED_ATTRIBUTES)
     else:
         result = md(text, **kwargs)