vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Merge pull request #36452 from akhilnarang/allow-blocking-extra-tags

Browse source 
feat(sanitize_html): allow the caller to block additional tags
This commit is contained in:
Akhil Narang 2026-01-29 16:24:03 +05:30 committed by GitHub
commit 7196bbcd37
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
frappe/core/doctype/comment/comment.py
View file

@ -62,7 +62,9 @@ class Comment(Document):
def validate(self):
if not self.comment_email:
self.comment_email = frappe.session.user
self.content = frappe.utils.sanitize_html(self.content, always_sanitize=True)
self.content = frappe.utils.sanitize_html(
self.content, always_sanitize=True, disallowed_tags=["form", "input", "button"]
)
def on_update(self):
update_comment_in_doc(self)

6
frappe/utils/html_utils.py
View file

@ -142,7 +142,7 @@ def clean_script_and_style(html):
return frappe.as_unicode(soup)
def sanitize_html(html, linkify=False, always_sanitize=False):
def sanitize_html(html, linkify=False, always_sanitize=False, disallowed_tags=None):
"""
Sanitize HTML tags, attributes and style to prevent XSS attacks
Based on nh3 clean, bleach whitelist and html5lib's Sanitizer defaults
@ -167,6 +167,10 @@ def sanitize_html(html, linkify=False, always_sanitize=False):
.union(["html", "head", "meta", "link", "body", "o:p"])
)
# Allow caller to explicitly disallow some tags
if disallowed_tags:
tags.difference_update(disallowed_tags)
attributes = {"*": acceptable_attributes, "svg": svg_attributes}
# returns html with escaped tags, escaped orphan >, <, etc.