Merge pull request #27434 from akhilnarang/fix-html-sanitize
fix(sanitize_html): sanitize all string inputs if specified
This commit is contained in:
Akhil Narang
GitHub
commit
5149a92cbf
2 changed files with 8 additions and 7 deletions
|
|
@ -62,7 +62,7 @@ class Comment(Document):
|
|||
def validate(self):
|
||||
if not self.comment_email:
|
||||
self.comment_email = frappe.session.user
|
||||
self.content = frappe.utils.sanitize_html(self.content)
|
||||
self.content = frappe.utils.sanitize_html(self.content, always_sanitize=True)
|
||||
|
||||
def on_update(self):
|
||||
update_comment_in_doc(self)
|
||||
|
|
|
|||
|
|
@ -142,12 +142,12 @@ def clean_script_and_style(html):
|
|||
return frappe.as_unicode(soup)
|
||||
|
||||
|
||||
def sanitize_html(html, linkify=False):
|
||||
def sanitize_html(html, linkify=False, always_sanitize=False):
|
||||
"""
|
||||
Sanitize HTML tags, attributes and style to prevent XSS attacks
|
||||
Based on bleach clean, bleach whitelist and html5lib's Sanitizer defaults
|
||||
|
||||
Does not sanitize JSON, as it could lead to future problems
|
||||
Does not sanitize JSON unless explicitly specified, as it could lead to future problems
|
||||
"""
|
||||
import bleach
|
||||
from bleach.css_sanitizer import CSSSanitizer
|
||||
|
|
@ -156,11 +156,12 @@ def sanitize_html(html, linkify=False):
|
|||
if not isinstance(html, str):
|
||||
return html
|
||||
|
||||
elif is_json(html):
|
||||
return html
|
||||
if not always_sanitize:
|
||||
if is_json(html):
|
||||
return html
|
||||
|
||||
if not bool(BeautifulSoup(html, "html.parser").find()):
|
||||
return html
|
||||
if not bool(BeautifulSoup(html, "html.parser").find()):
|
||||
return html
|
||||
|
||||
tags = (
|
||||
acceptable_elements
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue