From bf3af37003fa87858de090b089a8692fb25d579f Mon Sep 17 00:00:00 2001 From: Jason McBrayer Date: Thu, 26 Apr 2018 20:36:48 -0400 Subject: [PATCH] Add html sanitization. Probably the html sent by your instance is already sanitized, but I haven't checked the Mastodon source to be sure. --- brutaldon/settings.py | 5 +++++ brutaldon/templates/main/toot_partial.html | 3 ++- requirements.txt | 4 ++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/brutaldon/settings.py b/brutaldon/settings.py index e3c19f8..dfb5080 100644 --- a/brutaldon/settings.py +++ b/brutaldon/settings.py @@ -38,6 +38,7 @@ INSTALLED_APPS = [ 'django.contrib.messages', 'django.contrib.staticfiles', 'widget_tweaks', + 'sanitizer', 'django.contrib.humanize', 'brutaldon', ] @@ -122,3 +123,7 @@ USE_TZ = True STATIC_URL = '/static/' STATIC_ROOT = os.path.join(BASE_DIR, 'static') + +# Sanitizer settings +SANITIZER_ALLOWED_TAGS = ['a', 'p', 'img', 'br', 'i', 'strong'] +SANITIZER_ALLOWED_ATTRIBUTES = ['href', 'src'] diff --git a/brutaldon/templates/main/toot_partial.html b/brutaldon/templates/main/toot_partial.html index 7a7b01b..d4f31b9 100644 --- a/brutaldon/templates/main/toot_partial.html +++ b/brutaldon/templates/main/toot_partial.html @@ -1,4 +1,5 @@ {% load humanize %} +{% load sanitizer %}
@@ -31,7 +32,7 @@

{% endif %}
- {{ toot.content | safe }} + {{ toot.content | strip_html | safe }}
{% if toot.media_attachments %} diff --git a/requirements.txt b/requirements.txt index 3a5f5ef..8ec8424 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,8 +1,11 @@ +bleach==2.1.3 certifi==2017.11.5 chardet==3.0.4 decorator==4.1.2 Django==2.0.4 +django-html-sanitizer==0.1.5 django-widget-tweaks==1.4.2 +html5lib==1.0.1 idna==2.6 Mastodon.py==1.2.1 python-dateutil==2.6.1 @@ -10,3 +13,4 @@ pytz==2017.3 requests==2.18.4 six==1.11.0 urllib3==1.22 +webencodings==0.5.1