This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8536 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 38e48ad3ca147af48f7a409bb664d6278a8b40fe Author: Dave Brondsema <[email protected]> AuthorDate: Mon Feb 12 12:20:06 2024 -0500 [#8536] use h.clean_html and |safe_html --- Allura/allura/config/app_cfg.py | 1 + Allura/allura/ext/admin/templates/project_trove.html | 2 +- Allura/allura/lib/helpers.py | 9 ++++++++- Allura/allura/templates/jinja_master/master.html | 4 ++-- Allura/allura/templates/neighborhood_project_list.html | 2 +- Allura/allura/templates_responsive/jinja_master/master.html | 4 ++-- Allura/allura/tests/test_helpers.py | 5 +++++ 7 files changed, 20 insertions(+), 7 deletions(-) diff --git a/Allura/allura/config/app_cfg.py b/Allura/allura/config/app_cfg.py index 33e5148c4..e0a5cfb4c 100644 --- a/Allura/allura/config/app_cfg.py +++ b/Allura/allura/config/app_cfg.py @@ -143,6 +143,7 @@ class AlluraJinjaRenderer(JinjaRenderer): jinja2_env.filters['filter'] = lambda s, t=None: list(filter(t and jinja2_env.tests[t], s)) jinja2_env.filters['nl2br'] = helpers.nl2br_jinja_filter jinja2_env.filters['subrender'] = helpers.subrender_jinja_filter + jinja2_env.filters['safe_html'] = helpers.clean_html jinja2_env.globals.update({ 'hasattr': hasattr, 'h': helpers, diff --git a/Allura/allura/ext/admin/templates/project_trove.html b/Allura/allura/ext/admin/templates/project_trove.html index 0d1a9da78..1fbff6e95 100644 --- a/Allura/allura/ext/admin/templates/project_trove.html +++ b/Allura/allura/ext/admin/templates/project_trove.html @@ -27,7 +27,7 @@ {% set help_text = config.get('trovecategories.admin.help.'+base.shortname, '') %} {% if help_text %} <div class="grid-19"> - {{ help_text|safe }} + {{ help_text|safe_html }} <br><br> </div> {% endif %} diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py index 26dd2d94f..f0675e443 100644 --- a/Allura/allura/lib/helpers.py +++ b/Allura/allura/lib/helpers.py @@ -809,7 +809,7 @@ def subrender_jinja_filter(context, html_tmpl: str) -> Markup: log.exception(f'Could not replace {var} in jinja "subrender" for site notification') continue html_tmpl = html_tmpl.replace(var, val) - return Markup(html_tmpl) + return clean_html(html_tmpl) def nl2br_jinja_filter(value): @@ -1378,3 +1378,10 @@ def pluralize_tool_name(tool_name: string, count: int): def parse_fediverse_address(username: str): pieces = username.split('@') return f'https://{pieces[-1]}/@{pieces[1]}' + + +def clean_html(value: str) -> Markup: + from allura.lib.markdown_extensions import HTMLSanitizer + return Markup( + HTMLSanitizer().run(value) + ) diff --git a/Allura/allura/templates/jinja_master/master.html b/Allura/allura/templates/jinja_master/master.html index 6d0d829c1..19cb43ca1 100644 --- a/Allura/allura/templates/jinja_master/master.html +++ b/Allura/allura/templates/jinja_master/master.html @@ -56,11 +56,11 @@ {% if c.project and c.project.neighborhood.css %} <style type="text/css"> - {{c.project.neighborhood.get_custom_css()|safe}} + {{ c.project.neighborhood.get_custom_css()|safe_html }} </style> {% elif neighborhood|default and neighborhood.css %} <style type="text/css"> - {{neighborhood.get_custom_css()}} + {{ neighborhood.get_custom_css()|safe_html }} </style> {% endif %} {% block extra_css %}{% endblock %} diff --git a/Allura/allura/templates/neighborhood_project_list.html b/Allura/allura/templates/neighborhood_project_list.html index 91fecd345..53e33b3e1 100644 --- a/Allura/allura/templates/neighborhood_project_list.html +++ b/Allura/allura/templates/neighborhood_project_list.html @@ -45,7 +45,7 @@ {{ text }} {% endif %} {% if neighborhood.homepage %} - {{neighborhood.homepage|safe}} + {{neighborhood.homepage|safe_html}} {% endif %} {% if neighborhood.allow_browse %} {% if not projects %} diff --git a/Allura/allura/templates_responsive/jinja_master/master.html b/Allura/allura/templates_responsive/jinja_master/master.html index 3786e2b88..5d28d00dc 100644 --- a/Allura/allura/templates_responsive/jinja_master/master.html +++ b/Allura/allura/templates_responsive/jinja_master/master.html @@ -58,11 +58,11 @@ {% if c.project and c.project.neighborhood.css %} <style type="text/css"> - {{c.project.neighborhood.get_custom_css()|safe}} + {{ c.project.neighborhood.get_custom_css()|safe_html }} </style> {% elif neighborhood|default and neighborhood.css %} <style type="text/css"> - {{neighborhood.get_custom_css()}} + {{ neighborhood.get_custom_css()|safe_html }} </style> {% endif %} {% block extra_css %}{% endblock %} diff --git a/Allura/allura/tests/test_helpers.py b/Allura/allura/tests/test_helpers.py index bb7908c9b..99eae9ce4 100644 --- a/Allura/allura/tests/test_helpers.py +++ b/Allura/allura/tests/test_helpers.py @@ -707,3 +707,8 @@ def test_querystring(): 'https://mysite.com/p/test/foobar/p/test/foobar?page=2&limit=5&count=100') assert (h.querystring(req, dict(page=5, limit=2, count=None)) == 'https://mysite.com/p/test/foobar/p/test/foobar?page=5&limit=2') + +def test_clean_html(): + assert h.clean_html('<script>alert(1)</script>') == '<script>alert(1)</script>' + assert h.clean_html('<b style="color: red; right: 0">ok</b>') == '<b style="color: red;">ok</b>' + assert isinstance(h.clean_html('foo'), Markup)
