views: sanitize HTML output in templates

inveniosoftware · Jul 15, 2019 · 505da72 · 505da72
1 parent 5c4de67
commit 505da72
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 24 deletions.
diff --git a/invenio_communities/config.py b/invenio_communities/config.py
@@ -120,3 +120,41 @@
 COMMUNITIES_URL_COMMUNITY_VIEW = \
     '{protocol}://{host}/communities/{community_id}/'
 """String pattern to generate the URL for the view of a community."""
+
+COMMUNITIES_ALLOWED_TAGS = [
+    'a',
+    'abbr',
+    'acronym',
+    'b',
+    'blockquote',
+    'br',
+    'code',
+    'div',
+    'em',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'i',
+    'li',
+    'ol',
+    'p',
+    'pre',
+    'span',
+    'strike',
+    'strong',
+    'sub',
+    'sup',
+    'u',
+    'ul',
+]
+"""List of allowed tags used to sanitize HTML output for communities."""
+
+COMMUNITIES_ALLOWED_ATTRS = {
+    '*': ['class'],
+    'a': ['href', 'title', 'name', 'class', 'rel'],
+    'abbr': ['title'],
+    'acronym': ['title'],
+}
+"""List of allowed attributes used to sanitize HTML output for communities."""
diff --git a/invenio_communities/templates/invenio_communities/about.html b/invenio_communities/templates/invenio_communities/about.html
@@ -27,7 +27,7 @@
   <div class="container">
     <div class="row">
       <div class="col-md-8">
-        {{community.page|safe}}
+        {{ community.page | sanitize_html | safe }}
       </div>
       <div class="col-md-4">
         <div class="well">{% include "invenio_communities/portalbox_main.html" %}</div>

diff --git a/invenio_communities/templates/invenio_communities/portalbox_main.html b/invenio_communities/templates/invenio_communities/portalbox_main.html
@@ -32,7 +32,7 @@
 {%- endif %}
 <h4>{{community.title}}</h4>
 {%- if community.description %}
-{{ community.description|safe }}
+{{ community.description | sanitize_html | safe }}
 {%- endif %}
 {%- if community.page %}
 <a href="{{ url_for('invenio_communities.about', community_id=community.id) }}" class="pull-right">
@@ -45,7 +45,7 @@ <h4>{{community.title}}</h4>
   {%- if community.owner.profile and community.owner.profile.username %}
     <dt>{{ _('Curated by:') }}</dt><dd>{{ community.owner.profile.username }}</dd>
   {%- endif %}
-  <dt>{{ _('Curation policy:') }}</dt><dd>{{ community.curation_policy|safe|default(_('Not specified'), true) }}</dd>
+  <dt>{{ _('Curation policy:') }}</dt><dd>{{ community.curation_policy | sanitize_html | safe | default(_('Not specified'), true) }}</dd>
   <dt>{{ _('Created:') }}</dt><dd>{{ community.created|dateformat(format='long') }}</dd>
   <dt>{{ _('Harvesting API:') }}</dt><dd><a href="{{ community.oaiset_url }}">{{ _('OAI-PMH Interface') }}</a></dd>
 </dl>
diff --git a/invenio_communities/views/ui.py b/invenio_communities/views/ui.py
@@ -29,6 +29,7 @@
 import copy
 from functools import wraps
 
+import bleach
 from flask import Blueprint, abort, current_app, flash, jsonify, redirect, \
     render_template, request, url_for
 from flask_babelex import gettext as _
@@ -53,6 +54,17 @@
 )
 
 
+@blueprint.app_template_filter('sanitize_html')
+def sanitize_html(value):
+    """Sanitizes HTML using the bleach library."""
+    return bleach.clean(
+        value,
+        tags=current_app.config['COMMUNITIES_ALLOWED_TAGS'],
+        attributes=current_app.config['COMMUNITIES_ALLOWED_ATTRS'],
+        strip=True,
+    ).strip()
+
+
 def pass_community(f):
     """Decorator to pass community."""
     @wraps(f)

diff --git a/setup.py b/setup.py
@@ -34,19 +34,19 @@
 history = open('CHANGES.rst').read()
 
 tests_require = [
-    'Flask-CeleryExt>=0.2.2',
+    'Flask-CeleryExt>=0.3.2',
     'SQLAlchemy-Continuum>=1.2.1',
     'check-manifest>=0.25',
-    'coverage>=4.0',
-    'invenio-mail>=1.0.0a3',
-    'invenio-oaiserver>=1.0.0a9',
+    'coverage>=4.5.3',
+    'invenio-mail>=1.0.2',
+    'invenio-oaiserver>=1.0.3',
     'isort>=4.3.3',
     'mock>=1.3.0',
     'pydocstyle>=1.0.0',
     'pytest-cache>=1.0',
-    'pytest-cov>=1.8.0',
+    'pytest-cov>=2.7.1',
     'pytest-pep8>=1.0.6',
-    'pytest>=2.8.0,!=3.3.0',
+    'pytest>=4.6.4,<5.0.0',
 ]
 
 extras_require = {
@@ -60,13 +60,13 @@
         'Flask-Mail>=0.9.1',
     ],
     'oai': [
-        'invenio-oaiserver>=1.0.0a8',
+        'invenio-oaiserver>=1.0.3',
     ],
     'mysql': [
-        'invenio-db[mysql]>=1.0.0b3',
+        'invenio-db[mysql]>=1.0.3',
     ],
     'postgresql': [
-        'invenio-db[postgresql]>=1.0.0b3',
+        'invenio-db[postgresql]>=1.0.3',
     ],
     'sqlite': [
         'invenio-db>=1.0.0b3',
@@ -86,20 +86,21 @@
 ]
 
 install_requires = [
-    'Flask-BabelEx>=0.9.3',
-    'Flask>=0.11.1',
+    'bleach>=2.1.3',
     'elasticsearch-dsl>=2.0.0,<3.0.0',
     'elasticsearch>=2.0.0,<3.0.0',
-    'invenio-access>=1.0.0a11',
-    'invenio-accounts>=1.0.0b1',
-    'invenio-assets>=1.0.0b2',
-    'invenio-files-rest>=1.0.0.a14',
-    'invenio-indexer>=1.0.0a8',
-    'invenio-pidstore>=1.0.0b1',
-    'invenio-records>=1.0.0b1',
-    'invenio-rest[cors]>=1.0.0a9',
-    'invenio-search>=1.0.0a9',
-    'marshmallow>=2.15.0',
+    'Flask-BabelEx>=0.9.3',
+    'Flask>=0.11.1',
+    'invenio-access>=1.1.0',
+    'invenio-accounts>=1.1.0',
+    'invenio-assets>=1.1.2',
+    'invenio-files-rest>=1.0.0b1',
+    'invenio-indexer>=1.0.2',
+    'invenio-pidstore>=1.0.0',
+    'invenio-records>=1.2.0',
+    'invenio-rest[cors]>=1.0.0',
+    'invenio-search>=1.1.0',
+    'marshmallow>=2.15.0,<3',
 ]
 
 packages = find_packages()