Add html sanitization.

Probably the html sent by your instance is already sanitized, but I haven't checked the Mastodon source to be sure.
2018-04-26 20:36:48 -04:00 · 2018-04-26 20:36:48 -04:00 · bf3af37003
parent e773511726
commit bf3af37003
3 changed files with 11 additions and 1 deletions
--- a/brutaldon/settings.py
+++ b/brutaldon/settings.py
@ -38,6 +38,7 @@ INSTALLED_APPS = [
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'widget_tweaks',
+    'sanitizer',
    'django.contrib.humanize',
    'brutaldon',
 ]
@ -122,3 +123,7 @@ USE_TZ = True

 STATIC_URL = '/static/'
 STATIC_ROOT = os.path.join(BASE_DIR, 'static')
+
+# Sanitizer settings
+SANITIZER_ALLOWED_TAGS = ['a', 'p', 'img', 'br', 'i', 'strong']
+SANITIZER_ALLOWED_ATTRIBUTES = ['href', 'src']
--- a/brutaldon/templates/main/toot_partial.html
+++ b/brutaldon/templates/main/toot_partial.html
@ -1,4 +1,5 @@
 {% load humanize %}
+{% load sanitizer %}

 <article class="media">
    <figure class="media-left">
@ -31,7 +32,7 @@
                </p>
            {% endif %}
            <div class="toot">
-                {{ toot.content | safe }}
+                {{ toot.content | strip_html | safe }}
            </div>

            {% if toot.media_attachments %}
--- a/requirements.txt
+++ b/requirements.txt
@ -1,8 +1,11 @@
+bleach==2.1.3
 certifi==2017.11.5
 chardet==3.0.4
 decorator==4.1.2
 Django==2.0.4
+django-html-sanitizer==0.1.5
 django-widget-tweaks==1.4.2
+html5lib==1.0.1
 idna==2.6
 Mastodon.py==1.2.1
 python-dateutil==2.6.1
@ -10,3 +13,4 @@ pytz==2017.3
 requests==2.18.4
 six==1.11.0
 urllib3==1.22
+webencodings==0.5.1