Merge branch 'develop' into control-date1

2022-04-06 17:41:48 +05:30 · 2022-04-06 17:41:48 +05:30 · ae4acd71f2
commit ae4acd71f2
parent 3d1bf21673 ff8231da9c
2 changed files with 38 additions and 6 deletions
--- a/frappe/templates/includes/comments/comment.html
+++ b/frappe/templates/includes/comments/comment.html
@ -1,14 +1,18 @@
 {% from "frappe/templates/includes/avatar_macro.html" import avatar %}

-<div class="comment-row media my-5">
+<div class="my-5 comment-row media">
 	<div class="comment-avatar">
-		{{  avatar(user_id=(comment.comment_email or comment.sender), size='avatar-medium') }}
+		{{  avatar(user_id=(frappe.utils.strip_html(comment.comment_email or comment.sender)), size='avatar-medium') }}
 	</div>
 	<div class="comment-content">
-		<div class="head mb-2">
-			<span class="title font-weight-bold mr-2">{{ comment.sender_full_name or comment.comment_by }}</span>
-			<span class="time small text-muted">{{ frappe.utils.pretty_date(comment.creation) }}</span>
+		<div class="mb-2 head">
+			<span class="mr-2 title font-weight-bold">
+				{{ frappe.utils.strip_html(comment.sender_full_name or comment.comment_by) | e }}
+			</span>
+			<span class="time small text-muted">
+				{{ frappe.utils.pretty_date(comment.creation) }}
+			</span>
 		</div>
-		<div class="content">{{ comment.content | markdown }}</div>
+		<div class="content">{{ frappe.utils.strip_html(comment.content) | markdown }}</div>
 	</div>
 </div>
--- a/frappe/website/doctype/blog_post/test_blog_post.py
+++ b/frappe/website/doctype/blog_post/test_blog_post.py
@ -117,6 +117,34 @@ class TestBlogPost(unittest.TestCase):

 		frappe.flags.force_website_cache = True

+	def test_spam_comments(self):
+		# Make a temporary Blog Post (and a Blog Category)
+		blog = make_test_blog('Test Spam Comment')
+
+		# Create a spam comment
+		frappe.get_doc(
+			doctype="Comment",
+			comment_type="Comment",
+			reference_doctype="Blog Post",
+			reference_name=blog.name,
+			comment_email="<a href=\"https://example.com/spam/\">spam</a>",
+			comment_by="<a href=\"https://example.com/spam/\">spam</a>",
+			published=1,
+			content="More spam content. <a href=\"https://example.com/spam/\">spam</a> with link.",
+		).insert()
+
+		# Visit the blog post page
+		set_request(path=blog.route)
+		blog_page_response = get_response()
+		blog_page_html = frappe.safe_decode(blog_page_response.get_data())
+
+		self.assertNotIn('<a href="https://example.com/spam/">spam</a>', blog_page_html)
+		self.assertIn("More spam content. spam with link.", blog_page_html)
+
+		# Cleanup
+		frappe.delete_doc("Blog Post", blog.name)
+		frappe.delete_doc("Blog Category", blog.blog_category)
+
 def scrub(text):
 	return WebsiteGenerator.scrub(None, text)