This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
commit b5333e288be17b6e2fcdd2d486f0883d4fdc7141
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Mon Feb 12 12:20:06 2024 -0500
[#8536] use h.clean_html and |safe_html
---
Allura/allura/config/app_cfg.py | 1 +
Allura/allura/ext/admin/templates/project_trove.html | 2 +-
Allura/allura/lib/helpers.py | 9 ++++++++-
Allura/allura/templates/jinja_master/master.html | 4 ++--
Allura/allura/templates/neighborhood_project_list.html | 2 +-
Allura/allura/templates_responsive/jinja_master/master.html | 4 ++--
Allura/allura/tests/test_helpers.py | 5 +++++
7 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/Allura/allura/config/app_cfg.py b/Allura/allura/config/app_cfg.py
index 33e5148c4..e0a5cfb4c 100644
--- a/Allura/allura/config/app_cfg.py
+++ b/Allura/allura/config/app_cfg.py
@@ -143,6 +143,7 @@ class AlluraJinjaRenderer(JinjaRenderer):
jinja2_env.filters['filter'] = lambda s, t=None: list(filter(t and
jinja2_env.tests[t], s))
jinja2_env.filters['nl2br'] = helpers.nl2br_jinja_filter
jinja2_env.filters['subrender'] = helpers.subrender_jinja_filter
+ jinja2_env.filters['safe_html'] = helpers.clean_html
jinja2_env.globals.update({
'hasattr': hasattr,
'h': helpers,
diff --git a/Allura/allura/ext/admin/templates/project_trove.html
b/Allura/allura/ext/admin/templates/project_trove.html
index 0d1a9da78..1fbff6e95 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -27,7 +27,7 @@
{% set help_text = config.get('trovecategories.admin.help.'+base.shortname,
'') %}
{% if help_text %}
<div class="grid-19">
- {{ help_text|safe }}
+ {{ help_text|safe_html }}
<br><br>
</div>
{% endif %}
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index 26dd2d94f..f0675e443 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -809,7 +809,7 @@ def subrender_jinja_filter(context, html_tmpl: str) ->
Markup:
log.exception(f'Could not replace {var} in jinja "subrender" for
site notification')
continue
html_tmpl = html_tmpl.replace(var, val)
- return Markup(html_tmpl)
+ return clean_html(html_tmpl)
def nl2br_jinja_filter(value):
@@ -1378,3 +1378,10 @@ def pluralize_tool_name(tool_name: string, count: int):
def parse_fediverse_address(username: str):
pieces = username.split('@')
return f'https://{pieces[-1]}/@{pieces[1]}'
+
+
+def clean_html(value: str) -> Markup:
+ from allura.lib.markdown_extensions import HTMLSanitizer
+ return Markup(
+ HTMLSanitizer().run(value)
+ )
diff --git a/Allura/allura/templates/jinja_master/master.html
b/Allura/allura/templates/jinja_master/master.html
index 6d0d829c1..19cb43ca1 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -56,11 +56,11 @@
{% if c.project and c.project.neighborhood.css %}
<style type="text/css">
- {{c.project.neighborhood.get_custom_css()|safe}}
+ {{ c.project.neighborhood.get_custom_css()|safe_html }}
</style>
{% elif neighborhood|default and neighborhood.css %}
<style type="text/css">
- {{neighborhood.get_custom_css()}}
+ {{ neighborhood.get_custom_css()|safe_html }}
</style>
{% endif %}
{% block extra_css %}{% endblock %}
diff --git a/Allura/allura/templates/neighborhood_project_list.html
b/Allura/allura/templates/neighborhood_project_list.html
index 91fecd345..53e33b3e1 100644
--- a/Allura/allura/templates/neighborhood_project_list.html
+++ b/Allura/allura/templates/neighborhood_project_list.html
@@ -45,7 +45,7 @@
{{ text }}
{% endif %}
{% if neighborhood.homepage %}
- {{neighborhood.homepage|safe}}
+ {{neighborhood.homepage|safe_html}}
{% endif %}
{% if neighborhood.allow_browse %}
{% if not projects %}
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html
b/Allura/allura/templates_responsive/jinja_master/master.html
index 3786e2b88..5d28d00dc 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -58,11 +58,11 @@
{% if c.project and c.project.neighborhood.css %}
<style type="text/css">
- {{c.project.neighborhood.get_custom_css()|safe}}
+ {{ c.project.neighborhood.get_custom_css()|safe_html }}
</style>
{% elif neighborhood|default and neighborhood.css %}
<style type="text/css">
- {{neighborhood.get_custom_css()}}
+ {{ neighborhood.get_custom_css()|safe_html }}
</style>
{% endif %}
{% block extra_css %}{% endblock %}
diff --git a/Allura/allura/tests/test_helpers.py
b/Allura/allura/tests/test_helpers.py
index bb7908c9b..99eae9ce4 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -707,3 +707,8 @@ def test_querystring():
'https://mysite.com/p/test/foobar/p/test/foobar?page=2&limit=5&count=100')
assert (h.querystring(req, dict(page=5, limit=2, count=None)) ==
'https://mysite.com/p/test/foobar/p/test/foobar?page=5&limit=2')
+
+def test_clean_html():
+ assert h.clean_html('<script>alert(1)</script>') ==
'<script>alert(1)</script>'
+ assert h.clean_html('<b style="color: red; right: 0">ok</b>') == '<b
style="color: red;">ok</b>'
+ assert isinstance(h.clean_html('foo'), Markup)
